From 72fd82a3500df8f2bbe64fa23d9aa2d30426ec6b Mon Sep 17 00:00:00 2001 From: Yves Galante Date: Wed, 24 Jan 2024 17:57:58 +0100 Subject: [PATCH] A first version --- .github/workflows/build.yml | 39 + .gitignore | 1 + .../certificate/v1/types_gen.cue | 422 +++++ .../cert-manager.io/issuer/v1/types_gen.cue | 1589 +++++++++++++++++ .../api/admission/v1/register_go_gen.cue | 7 + .../k8s.io/api/admission/v1/types_go_gen.cue | 172 ++ .../admissionregistration/v1/doc_go_gen.cue | 9 + .../v1/register_go_gen.cue | 7 + .../admissionregistration/v1/types_go_gen.cue | 645 +++++++ .../api/authentication/v1/register_go_gen.cue | 7 + .../api/authentication/v1/types_go_gen.cue | 206 +++ .../api/authorization/v1/register_go_gen.cue | 7 + .../api/authorization/v1/types_go_gen.cue | 262 +++ .../api/autoscaling/v1/register_go_gen.cue | 7 + .../api/autoscaling/v1/types_go_gen.cue | 542 ++++++ .../api/autoscaling/v2/register_go_gen.cue | 7 + .../api/autoscaling/v2/types_go_gen.cue | 597 +++++++ .../k8s.io/api/batch/v1/register_go_gen.cue | 7 + .../gen/k8s.io/api/batch/v1/types_go_gen.cue | 693 +++++++ .../api/certificates/v1/register_go_gen.cue | 7 + .../api/certificates/v1/types_go_gen.cue | 318 ++++ .../api/coordination/v1/register_go_gen.cue | 7 + .../api/coordination/v1/types_go_gen.cue | 61 + .../api/discovery/v1/register_go_gen.cue | 7 + .../k8s.io/api/discovery/v1/types_go_gen.cue | 206 +++ .../discovery/v1/well_known_labels_go_gen.cue | 20 + .../k8s.io/api/events/v1/register_go_gen.cue | 7 + .../gen/k8s.io/api/events/v1/types_go_gen.cue | 111 ++ .../api/networking/v1/register_go_gen.cue | 7 + .../k8s.io/api/networking/v1/types_go_gen.cue | 588 ++++++ .../v1/well_known_annotations_go_gen.cue | 11 + .../k8s.io/api/node/v1/register_go_gen.cue | 7 + .../gen/k8s.io/api/node/v1/types_go_gen.cue | 90 + .../gen/k8s.io/api/policy/v1/doc_go_gen.cue | 8 + .../k8s.io/api/policy/v1/register_go_gen.cue | 7 + .../gen/k8s.io/api/policy/v1/types_go_gen.cue | 204 +++ .../k8s.io/api/rbac/v1/register_go_gen.cue | 7 + .../gen/k8s.io/api/rbac/v1/types_go_gen.cue | 207 +++ .../api/scheduling/v1/register_go_gen.cue | 7 + .../k8s.io/api/scheduling/v1/types_go_gen.cue | 57 + .../k8s.io/api/storage/v1/register_go_gen.cue | 7 + .../k8s.io/api/storage/v1/types_go_gen.cue | 652 +++++++ .../pkg/apis/apiextensions/v1/doc_go_gen.cue | 6 + .../apis/apiextensions/v1/register_go_gen.cue | 7 + .../apis/apiextensions/v1/types_go_gen.cue | 513 ++++++ .../v1/types_jsonschema_go_gen.cue | 317 ++++ templates/certificates.cue | 63 + templates/config.cue | 212 ++- templates/configmap.cue | 194 ++ templates/deployment.cue | 161 +- templates/networking.cue | 40 + templates/poddisruptionbudget.cue | 19 + templates/service.cue | 53 +- templates/serviceaccount.cue | 21 + test/certificate-values.cue | 54 + test/certificate.yaml | 350 ++++ test/external-secrets-values.cue | 35 + test/external-secrets.yaml | 181 ++ test/http-values.cue | 35 + test/http.yaml | 123 ++ test/keycloak.bundle.cue | 15 + test/minimum-values.cue | 11 + test/minimum.yaml | 109 ++ test/networkpolicy-values.cue | 28 + test/networkpolicy.yaml | 271 +++ test/pdb-values.cue | 23 + test/pdb.yaml | 256 +++ test/sa-values.cue | 40 + test/sa.yaml | 135 ++ test/test.sh | 15 + timoni.ignore | 6 + values.cue | 9 +- 72 files changed, 11066 insertions(+), 65 deletions(-) create mode 100644 .github/workflows/build.yml create mode 100644 .gitignore create mode 100644 cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue create mode 100644 cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue create mode 100644 cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue create mode 100644 templates/certificates.cue create mode 100644 templates/configmap.cue create mode 100644 templates/networking.cue create mode 100644 templates/poddisruptionbudget.cue create mode 100644 templates/serviceaccount.cue create mode 100644 test/certificate-values.cue create mode 100644 test/certificate.yaml create mode 100644 test/external-secrets-values.cue create mode 100644 test/external-secrets.yaml create mode 100644 test/http-values.cue create mode 100644 test/http.yaml create mode 100644 test/keycloak.bundle.cue create mode 100644 test/minimum-values.cue create mode 100644 test/minimum.yaml create mode 100644 test/networkpolicy-values.cue create mode 100644 test/networkpolicy.yaml create mode 100644 test/pdb-values.cue create mode 100644 test/pdb.yaml create mode 100644 test/sa-values.cue create mode 100644 test/sa.yaml create mode 100755 test/test.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..cbea5ba --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,39 @@ +name: Release and sign module +on: + push: + tag: ['*'] # semver format + +permissions: + contents: read # needed for checkout + packages: write # needed for GHCR access + id-token: write # needed for signing + +jobs: + push: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Cosign + uses: sigstore/cosign-installer@main + - name: Setup Timoni + uses: stefanprodan/timoni/actions/setup@main + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Vet module + run: | + timoni mod vet . -f test/minimum-values.cue + - name: Push and Sign + run: | + timoni mod push . \ + oci://ghcr.io/${{ github.repository_owner }}/keycloak \ + --version ${{ github.ref_name }} \ + --sign=cosign \ + --latest \ + -a 'org.opencontainers.image.licenses=Apache-2.0' \ + -a 'org.opencontainers.image.source=https://github.com/yyvess/keycloak-timoni' \ + -a 'org.opencontainers.image.description=A Keycloakh module.' \ diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e183ace --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/keycloak-timoni.iml diff --git a/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue b/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue new file mode 100644 index 0000000..750f3e5 --- /dev/null +++ b/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue @@ -0,0 +1,422 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/cert-manager/cert-manager/master/deploy/crds/crd-certificates.yaml + +package v1 + +import "strings" + +// A Certificate resource should be created to ensure an up to +// date and signed X.509 certificate is stored in the Kubernetes +// Secret resource named in `spec.secretName`. +// The stored certificate will be renewed before it expires (as +// configured by `spec.renewBefore`). +#Certificate: { + // APIVersion defines the versioned schema of this representation + // of an object. Servers should convert recognized schemas to the + // latest internal value, and may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. Servers may infer this from the endpoint + // the client submits requests to. Cannot be updated. In + // CamelCase. More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Certificate" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Specification of the desired state of the Certificate resource. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + spec!: #CertificateSpec +} + +// Specification of the desired state of the Certificate resource. +// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +#CertificateSpec: { + // Defines extra output formats of the private key and signed + // certificate chain to be written to this Certificate's target + // Secret. + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=AdditionalCertificateOutputFormats=true` + // option set on both the controller and webhook components. + additionalOutputFormats?: [...{ + // Type is the name of the format type that should be written to + // the Certificate's target Secret. + type: "DER" | "CombinedPEM" + }] + + // Requested common name X509 certificate subject attribute. More + // info: + // https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + // NOTE: TLS clients will ignore this value when any subject + // alternative name is set (see + // https://tools.ietf.org/html/rfc6125#section-6.4.4). + // Should have a length of 64 characters or fewer to avoid + // generating invalid CSRs. Cannot be set if the `literalSubject` + // field is set. + commonName?: string + + // Requested DNS subject alternative names. + dnsNames?: [...string] + + // Requested 'duration' (i.e. lifetime) of the Certificate. Note + // that the issuer may choose to ignore the requested duration, + // just like any other requested attribute. + // If unset, this defaults to 90 days. Minimum accepted duration + // is 1 hour. Value must be in units accepted by Go + // time.ParseDuration https://golang.org/pkg/time/#ParseDuration. + duration?: string + + // Requested email subject alternative names. + emailAddresses?: [...string] + + // Whether the KeyUsage and ExtKeyUsage extensions should be set + // in the encoded CSR. + // This option defaults to true, and should only be disabled if + // the target issuer does not support CSRs with these X509 + // KeyUsage/ ExtKeyUsage extensions. + encodeUsagesInRequest?: bool + + // Requested IP address subject alternative names. + ipAddresses?: [...string] + + // Requested basic constraints isCA value. The isCA value is used + // to set the `isCA` field on the created CertificateRequest + // resources. Note that the issuer may choose to ignore the + // requested isCA value, just like any other requested attribute. + // If true, this will automatically add the `cert sign` usage to + // the list of requested `usages`. + isCA?: bool + + // Reference to the issuer responsible for issuing the + // certificate. If the issuer is namespace-scoped, it must be in + // the same namespace as the Certificate. If the issuer is + // cluster-scoped, it can be used from any namespace. + // The `name` field of the reference must always be specified. + issuerRef: { + // Group of the resource being referred to. + group?: string + + // Kind of the resource being referred to. + kind?: string + + // Name of the resource being referred to. + name: string + } + + // Additional keystore output formats to be stored in the + // Certificate's Secret. + keystores?: { + // JKS configures options for storing a JKS keystore in the + // `spec.secretName` Secret resource. + jks?: { + // Create enables JKS keystore creation for the Certificate. If + // true, a file named `keystore.jks` will be created in the + // target Secret resource, encrypted using the password stored in + // `passwordSecretRef`. The keystore file will be updated + // immediately. If the issuer provided a CA certificate, a file + // named `truststore.jks` will also be created in the target + // Secret resource, encrypted using the password stored in + // `passwordSecretRef` containing the issuing Certificate + // Authority + create: bool + + // PasswordSecretRef is a reference to a key in a Secret resource + // containing the password used to encrypt the JKS keystore. + passwordSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // PKCS12 configures options for storing a PKCS12 keystore in the + // `spec.secretName` Secret resource. + pkcs12?: { + // Create enables PKCS12 keystore creation for the Certificate. If + // true, a file named `keystore.p12` will be created in the + // target Secret resource, encrypted using the password stored in + // `passwordSecretRef`. The keystore file will be updated + // immediately. If the issuer provided a CA certificate, a file + // named `truststore.p12` will also be created in the target + // Secret resource, encrypted using the password stored in + // `passwordSecretRef` containing the issuing Certificate + // Authority + create: bool + + // PasswordSecretRef is a reference to a key in a Secret resource + // containing the password used to encrypt the PKCS12 keystore. + passwordSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // Profile specifies the key and certificate encryption algorithms + // and the HMAC algorithm used to create the PKCS12 keystore. + // Default value is `LegacyRC2` for backward compatibility. + // If provided, allowed values are: `LegacyRC2`: Deprecated. Not + // supported by default in OpenSSL 3 or Java 20. `LegacyDES`: + // Less secure algorithm. Use this option for maximal + // compatibility. `Modern2023`: Secure algorithm. Use this option + // in case you have to always use secure algorithms (eg. because + // of company policy). Please note that the security of the + // algorithm is not that important in reality, because the + // unencrypted certificate and private key are also stored in the + // Secret. + profile?: "LegacyRC2" | "LegacyDES" | "Modern2023" + } + } + + // Requested X.509 certificate subject, represented using the LDAP + // "String Representation of a Distinguished Name" [1]. + // Important: the LDAP string format also specifies the order of + // the attributes in the subject, this is important when issuing + // certs for LDAP authentication. Example: + // `CN=foo,DC=corp,DC=example,DC=com` More info [1]: + // https://datatracker.ietf.org/doc/html/rfc4514 More info: + // https://github.com/cert-manager/cert-manager/issues/3203 More + // info: https://github.com/cert-manager/cert-manager/issues/4424 + // Cannot be set if the `subject` or `commonName` field is set. + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=LiteralCertificateSubject=true` option set on + // both the controller and webhook components. + literalSubject?: string + + // x.509 certificate NameConstraint extension which MUST NOT be + // used in a non-CA certificate. More Info: + // https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=NameConstraints=true` option set on both the + // controller and webhook components. + nameConstraints?: { + // if true then the name constraints are marked critical. + critical?: bool + + // Excluded contains the constraints which must be disallowed. Any + // name matching a restriction in the excluded field is invalid + // regardless of information appearing in the permitted + excluded?: { + // DNSDomains is a list of DNS domains that are permitted or + // excluded. + dnsDomains?: [...string] + + // EmailAddresses is a list of Email Addresses that are permitted + // or excluded. + emailAddresses?: [...string] + + // IPRanges is a list of IP Ranges that are permitted or excluded. + // This should be a valid CIDR notation. + ipRanges?: [...string] + + // URIDomains is a list of URI domains that are permitted or + // excluded. + uriDomains?: [...string] + } + + // Permitted contains the constraints in which the names must be + // located. + permitted?: { + // DNSDomains is a list of DNS domains that are permitted or + // excluded. + dnsDomains?: [...string] + + // EmailAddresses is a list of Email Addresses that are permitted + // or excluded. + emailAddresses?: [...string] + + // IPRanges is a list of IP Ranges that are permitted or excluded. + // This should be a valid CIDR notation. + ipRanges?: [...string] + + // URIDomains is a list of URI domains that are permitted or + // excluded. + uriDomains?: [...string] + } + } + + // `otherNames` is an escape hatch for SAN that allows any type. + // We currently restrict the support to string like otherNames, + // cf RFC 5280 p 37 Any UTF8 String valued otherName can be + // passed with by setting the keys oid: x.x.x.x and UTF8Value: + // somevalue for `otherName`. Most commonly this would be UPN set + // with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any + // OID passed is valid for the UTF8String type as we do not + // explicitly validate this. + otherNames?: [...{ + // OID is the object identifier for the otherName SAN. The object + // identifier must be expressed as a dotted string, for example, + // "1.2.840.113556.1.4.221". + oid?: string + + // utf8Value is the string value of the otherName SAN. The + // utf8Value accepts any valid UTF8 string to set as value for + // the otherName SAN. + utf8Value?: string + }] + + // Private key options. These include the key algorithm and size, + // the used encoding and the rotation policy. + privateKey?: { + // Algorithm is the private key algorithm of the corresponding + // private key for this certificate. + // If provided, allowed values are either `RSA`, `ECDSA` or + // `Ed25519`. If `algorithm` is specified and `size` is not + // provided, key size of 2048 will be used for `RSA` key + // algorithm and key size of 256 will be used for `ECDSA` key + // algorithm. key size is ignored when using the `Ed25519` key + // algorithm. + algorithm?: "RSA" | "ECDSA" | "Ed25519" + + // The private key cryptography standards (PKCS) encoding for this + // certificate's private key to be encoded in. + // If provided, allowed values are `PKCS1` and `PKCS8` standing + // for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if + // not specified. + encoding?: "PKCS1" | "PKCS8" + + // RotationPolicy controls how private keys should be regenerated + // when a re-issuance is being processed. + // If set to `Never`, a private key will only be generated if one + // does not already exist in the target `spec.secretName`. If one + // does exists but it does not have the correct algorithm or + // size, a warning will be raised to await user intervention. If + // set to `Always`, a private key matching the specified + // requirements will be generated whenever a re-issuance occurs. + // Default is `Never` for backward compatibility. + rotationPolicy?: "Never" | "Always" + + // Size is the key bit size of the corresponding private key for + // this certificate. + // If `algorithm` is set to `RSA`, valid values are `2048`, `4096` + // or `8192`, and will default to `2048` if not specified. If + // `algorithm` is set to `ECDSA`, valid values are `256`, `384` + // or `521`, and will default to `256` if not specified. If + // `algorithm` is set to `Ed25519`, Size is ignored. No other + // values are allowed. + size?: int + } + + // How long before the currently issued certificate's expiry + // cert-manager should renew the certificate. For example, if a + // certificate is valid for 60 minutes, and `renewBefore=10m`, + // cert-manager will begin to attempt to renew the certificate 50 + // minutes after it was issued (i.e. when there are 10 minutes + // remaining until the certificate is no longer valid). + // NOTE: The actual lifetime of the issued certificate is used to + // determine the renewal time. If an issuer returns a certificate + // with a different lifetime than the one requested, cert-manager + // will use the lifetime of the issued certificate. + // If unset, this defaults to 1/3 of the issued certificate's + // lifetime. Minimum accepted value is 5 minutes. Value must be + // in units accepted by Go time.ParseDuration + // https://golang.org/pkg/time/#ParseDuration. + renewBefore?: string + + // The maximum number of CertificateRequest revisions that are + // maintained in the Certificate's history. Each revision + // represents a single `CertificateRequest` created by this + // Certificate, either when it was created, renewed, or Spec was + // changed. Revisions will be removed by oldest first if the + // number of revisions exceeds this number. + // If set, revisionHistoryLimit must be a value of `1` or greater. + // If unset (`nil`), revisions will not be garbage collected. + // Default value is `nil`. + revisionHistoryLimit?: int + + // Name of the Secret resource that will be automatically created + // and managed by this Certificate resource. It will be populated + // with a private key and certificate, signed by the denoted + // issuer. The Secret resource lives in the same namespace as the + // Certificate resource. + secretName: string + + // Defines annotations and labels to be copied to the + // Certificate's Secret. Labels and annotations on the Secret + // will be changed as they appear on the SecretTemplate when + // added or removed. SecretTemplate annotations are added in + // conjunction with, and cannot overwrite, the base set of + // annotations cert-manager sets on the Certificate's Secret. + secretTemplate?: { + // Annotations is a key value map to be copied to the target + // Kubernetes Secret. + annotations?: { + [string]: string + } + + // Labels is a key value map to be copied to the target Kubernetes + // Secret. + labels?: { + [string]: string + } + } + + // Requested set of X509 certificate subject attributes. More + // info: + // https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + // The common name attribute is specified separately in the + // `commonName` field. Cannot be set if the `literalSubject` + // field is set. + subject?: { + // Countries to be used on the Certificate. + countries?: [...string] + + // Cities to be used on the Certificate. + localities?: [...string] + + // Organizational Units to be used on the Certificate. + organizationalUnits?: [...string] + + // Organizations to be used on the Certificate. + organizations?: [...string] + + // Postal codes to be used on the Certificate. + postalCodes?: [...string] + + // State/Provinces to be used on the Certificate. + provinces?: [...string] + + // Serial number to be used on the Certificate. + serialNumber?: string + + // Street addresses to be used on the Certificate. + streetAddresses?: [...string] + } + + // Requested URI subject alternative names. + uris?: [...string] + + // Requested key usages and extended key usages. These usages are + // used to set the `usages` field on the created + // CertificateRequest resources. If `encodeUsagesInRequest` is + // unset or set to `true`, the usages will additionally be + // encoded in the `request` field which contains the CSR blob. + // If unset, defaults to `digital signature` and `key + // encipherment`. + usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"] +} diff --git a/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue b/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue new file mode 100644 index 0000000..a068f50 --- /dev/null +++ b/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue @@ -0,0 +1,1589 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/cert-manager/cert-manager/master/deploy/crds/crd-issuers.yaml + +package v1 + +import "strings" + +// An Issuer represents a certificate issuing authority which can +// be referenced as part of `issuerRef` fields. It is scoped to a +// single namespace and can therefore only be referenced by +// resources within the same namespace. +#Issuer: { + // APIVersion defines the versioned schema of this representation + // of an object. Servers should convert recognized schemas to the + // latest internal value, and may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. Servers may infer this from the endpoint + // the client submits requests to. Cannot be updated. In + // CamelCase. More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Issuer" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Desired state of the Issuer resource. + spec!: #IssuerSpec +} + +// Desired state of the Issuer resource. +#IssuerSpec: { + // ACME configures this issuer to communicate with a RFC8555 + // (ACME) server to obtain signed x509 certificates. + acme?: { + // Base64-encoded bundle of PEM CAs which can be used to validate + // the certificate chain presented by the ACME server. Mutually + // exclusive with SkipTLSVerify; prefer using CABundle to prevent + // various kinds of security vulnerabilities. If CABundle and + // SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. + caBundle?: string + + // Enables or disables generating a new ACME account key. If true, + // the Issuer resource will *not* request a new account but will + // expect the account key to be supplied via an existing secret. + // If false, the cert-manager system will generate a new ACME + // account key for the Issuer. Defaults to false. + disableAccountKeyGeneration?: bool + + // Email is the email address to be associated with the ACME + // account. This field is optional, but it is strongly + // recommended to be set. It will be used to contact you in case + // of issues with your account or certificates, including expiry + // notification emails. This field may be updated after the + // account is initially registered. + email?: string + + // Enables requesting a Not After date on certificates that + // matches the duration of the certificate. This is not supported + // by all ACME servers like Let's Encrypt. If set to true when + // the ACME server does not support it it will create an error on + // the Order. Defaults to false. + enableDurationFeature?: bool + + // ExternalAccountBinding is a reference to a CA external account + // of the ACME server. If set, upon registration cert-manager + // will attempt to associate the given external account + // credentials with the registered ACME account. + externalAccountBinding?: { + // Deprecated: keyAlgorithm field exists for historical + // compatibility reasons and should not be used. The algorithm is + // now hardcoded to HS256 in golang/x/crypto/acme. + keyAlgorithm?: "HS256" | "HS384" | "HS512" + + // keyID is the ID of the CA key that the External Account is + // bound to. + keyID: string + + // keySecretRef is a Secret Key Selector referencing a data item + // in a Kubernetes Secret which holds the symmetric MAC key of + // the External Account Binding. The `key` is the index string + // that is paired with the key data in the Secret and should not + // be confused with the key data itself, or indeed with the + // External Account Binding keyID above. The secret key stored in + // the Secret **must** be un-padded, base64 URL encoded data. + keySecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // PreferredChain is the chain to use if the ACME server outputs + // multiple. PreferredChain is no guarantee that this one gets + // delivered by the ACME endpoint. For example, for Let's + // Encrypt's DST crosssign you would use: "DST Root CA X3" or + // "ISRG Root X1" for the newer Let's Encrypt root CA. This value + // picks the first certificate bundle in the ACME alternative + // chains that has a certificate with this value as its issuer's + // CN + preferredChain?: strings.MaxRunes(64) + + // PrivateKey is the name of a Kubernetes Secret resource that + // will be used to store the automatically generated ACME account + // private key. Optionally, a `key` may be specified to select a + // specific entry within the named Secret resource. If `key` is + // not specified, a default of `tls.key` will be used. + privateKeySecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // Server is the URL used to access the ACME server's 'directory' + // endpoint. For example, for Let's Encrypt's staging endpoint, + // you would use: + // "https://acme-staging-v02.api.letsencrypt.org/directory". Only + // ACME v2 endpoints (i.e. RFC 8555) are supported. + server: string + + // INSECURE: Enables or disables validation of the ACME server TLS + // certificate. If true, requests to the ACME server will not + // have the TLS certificate chain validated. Mutually exclusive + // with CABundle; prefer using CABundle to prevent various kinds + // of security vulnerabilities. Only enable this option in + // development environments. If CABundle and SkipTLSVerify are + // unset, the system certificate bundle inside the container is + // used to validate the TLS connection. Defaults to false. + skipTLSVerify?: bool + + // Solvers is a list of challenge solvers that will be used to + // solve ACME challenges for the matching domains. Solver + // configurations must be provided in order to obtain + // certificates from an ACME server. For more information, see: + // https://cert-manager.io/docs/configuration/acme/ + solvers?: [...{ + // Configures cert-manager to attempt to complete authorizations + // by performing the DNS01 challenge flow. + dns01?: { + // Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to + // manage DNS01 challenge records. + acmeDNS?: { + // A reference to a specific 'key' within a Secret resource. In + // some instances, `key` is a required field. + accountSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + host: string + } + + // Use the Akamai DNS zone management API to manage DNS01 + // challenge records. + akamai?: { + // A reference to a specific 'key' within a Secret resource. In + // some instances, `key` is a required field. + accessTokenSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // A reference to a specific 'key' within a Secret resource. In + // some instances, `key` is a required field. + clientSecretSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // A reference to a specific 'key' within a Secret resource. In + // some instances, `key` is a required field. + clientTokenSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + serviceConsumerDomain: string + } + + // Use the Microsoft Azure DNS API to manage DNS01 challenge + // records. + azureDNS?: { + // Auth: Azure Service Principal: The ClientID of the Azure + // Service Principal used to authenticate with Azure DNS. If set, + // ClientSecret and TenantID must also be set. + clientID?: string + + // Auth: Azure Service Principal: A reference to a Secret + // containing the password associated with the Service Principal. + // If set, ClientID and TenantID must also be set. + clientSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // name of the Azure environment (default AzurePublicCloud) + environment?: "AzurePublicCloud" | "AzureChinaCloud" | "AzureGermanCloud" | "AzureUSGovernmentCloud" + + // name of the DNS zone that should be used + hostedZoneName?: string + + // Auth: Azure Workload Identity or Azure Managed Service + // Identity: Settings to enable Azure Workload Identity or Azure + // Managed Service Identity If set, ClientID, ClientSecret and + // TenantID must not be set. + managedIdentity?: { + // client ID of the managed identity, can not be used at the same + // time as resourceID + clientID?: string + + // resource ID of the managed identity, can not be used at the + // same time as clientID Cannot be used for Azure Managed Service + // Identity + resourceID?: string + } + + // resource group the DNS zone is located in + resourceGroupName: string + + // ID of the Azure subscription + subscriptionID: string + + // Auth: Azure Service Principal: The TenantID of the Azure + // Service Principal used to authenticate with Azure DNS. If set, + // ClientID and ClientSecret must also be set. + tenantID?: string + } + + // Use the Google Cloud DNS API to manage DNS01 challenge records. + cloudDNS?: { + // HostedZoneName is an optional field that tells cert-manager in + // which Cloud DNS zone the challenge record has to be created. + // If left empty cert-manager will automatically choose a zone. + hostedZoneName?: string + project: string + + // A reference to a specific 'key' within a Secret resource. In + // some instances, `key` is a required field. + serviceAccountSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // Use the Cloudflare API to manage DNS01 challenge records. + cloudflare?: { + // API key to use to authenticate with Cloudflare. Note: using an + // API token to authenticate is now the recommended method as it + // allows greater control of permissions. + apiKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // API token used to authenticate with Cloudflare. + apiTokenSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // Email of the account, only required when using API key based + // authentication. + email?: string + } + + // CNAMEStrategy configures how the DNS01 provider should handle + // CNAME records when found in DNS zones. + cnameStrategy?: "None" | "Follow" + digitalocean?: { + // A reference to a specific 'key' within a Secret resource. In + // some instances, `key` is a required field. + tokenSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // Use RFC2136 ("Dynamic Updates in the Domain Name System") + // (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 + // challenge records. + rfc2136?: { + // The IP address or hostname of an authoritative DNS server + // supporting RFC2136 in the form host:port. If the host is an + // IPv6 address it must be enclosed in square brackets (e.g + // [2001:db8::1]) ; port is optional. This field is required. + nameserver: string + + // The TSIG Algorithm configured in the DNS supporting RFC2136. + // Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are + // defined. Supported values are (case-insensitive): ``HMACMD5`` + // (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. + tsigAlgorithm?: string + + // The TSIG Key name configured in the DNS. If + // ``tsigSecretSecretRef`` is defined, this field is required. + tsigKeyName?: string + + // The name of the secret containing the TSIG value. If + // ``tsigKeyName`` is defined, this field is required. + tsigSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // Use the AWS Route53 API to manage DNS01 challenge records. + route53?: { + // The AccessKeyID is used for authentication. Cannot be set when + // SecretAccessKeyID is set. If neither the Access Key nor Key ID + // are set, we fall-back to using env vars, shared credentials + // file or AWS Instance metadata, see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyID?: string + + // The SecretAccessKey is used for authentication. If set, pull + // the AWS access key ID from a key within a Kubernetes Secret. + // Cannot be set when AccessKeyID is set. If neither the Access + // Key nor Key ID are set, we fall-back to using env vars, shared + // credentials file or AWS Instance metadata, see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyIDSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // If set, the provider will manage only this zone in Route53 and + // will not do an lookup using the route53:ListHostedZonesByName + // api call. + hostedZoneID?: string + + // Always set the region when using AccessKeyID and + // SecretAccessKey + region: string + + // Role is a Role ARN which the Route53 provider will assume using + // either the explicit credentials AccessKeyID/SecretAccessKey or + // the inferred credentials from environment variables, shared + // credentials file or AWS Instance metadata + role?: string + + // The SecretAccessKey is used for authentication. If neither the + // Access Key nor Key ID are set, we fall-back to using env vars, + // shared credentials file or AWS Instance metadata, see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + secretAccessKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // Configure an external webhook based DNS01 challenge solver to + // manage DNS01 challenge records. + webhook?: { + // Additional configuration that should be passed to the webhook + // apiserver when challenges are processed. This can contain + // arbitrary JSON data. Secret values should not be specified in + // this stanza. If secret values are needed (e.g. credentials for + // a DNS service), you should use a SecretKeySelector to + // reference a Secret resource. For details on the schema of this + // field, consult the webhook provider implementation's + // documentation. + config?: _ + + // The API group name that should be used when POSTing + // ChallengePayload resources to the webhook apiserver. This + // should be the same as the GroupName specified in the webhook + // provider implementation. + groupName: string + + // The name of the solver to use, as defined in the webhook + // provider implementation. This will typically be the name of + // the provider, e.g. 'cloudflare'. + solverName: string + } + } + + // Configures cert-manager to attempt to complete authorizations + // by performing the HTTP01 challenge flow. It is not possible to + // obtain certificates for wildcard domain names (e.g. + // `*.example.com`) using the HTTP01 challenge mechanism. + http01?: { + // The Gateway API is a sig-network community API that models + // service networking in Kubernetes + // (https://gateway-api.sigs.k8s.io/). The Gateway solver will + // create HTTPRoutes with the specified labels in the same + // namespace as the challenge. This solver is experimental, and + // fields / behaviour may change in the future. + gatewayHTTPRoute?: { + // Custom labels that will be applied to HTTPRoutes created by + // cert-manager while solving HTTP-01 challenges. + labels?: { + [string]: string + } + + // When solving an HTTP-01 challenge, cert-manager creates an + // HTTPRoute. cert-manager needs to know which parentRefs should + // be used when creating the HTTPRoute. Usually, the parentRef + // references a Gateway. See: + // https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways + parentRefs?: [...{ + // Group is the group of the referent. When unspecified, + // "gateway.networking.k8s.io" is inferred. To set the core API + // group (such as for a "Service" kind referent), Group must be + // explicitly set to "" (empty string). + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // There are two kinds of parent resources with "Core" support: + // * Gateway (Gateway conformance profile) * Service (Mesh + // conformance profile, experimental, ClusterIP Services only) + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // Support: Core + name: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers to the local namespace of the Route. + // Note that there are specific rules for ParentRefs which cross + // namespace boundaries. Cross-namespace references are only + // valid if they are explicitly allowed by something in the + // namespace they are referring to. For example: Gateway has the + // AllowedRoutes field, and ReferenceGrant provides a generic way + // to enable any other kind of cross-namespace reference. + // ParentRefs from a Route to a + // Service in the same namespace are "producer" routes, which + // apply default routing rules to inbound connections from any + // namespace to the Service. + // ParentRefs from a Route to a Service in a different namespace + // are "consumer" routes, and these routing rules are only + // applied to outbound connections originating from the same + // namespace as the Route, for which the intended destination of + // the connections are a Service targeted as a ParentRef of the + // Route. + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted differently based on the type of parent resource. + // When the parent resource is a Gateway, this targets all + // listeners listening on the specified port that also support + // this kind of Route(and select this Route). It's not + // recommended to set `Port` unless the networking behaviors + // specified in a Route must apply to a specific port as opposed + // to a listener(s) whose port(s) may be changed. When both Port + // and SectionName are specified, the name and port of the + // selected listener must match both specified values. + // When the parent resource is + // a Service, this targets a specific port in the Service spec. + // When both Port (experimental) and SectionName are specified, + // the name and port of the selected port must match both + // specified values. + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources + // MUST clearly document how/if Port is interpreted. + // For the purpose of status, an attachment is considered + // successful as long as the parent resource accepts it + // partially. For example, Gateway listeners can restrict which + // Routes can attach to them by Route kind, namespace, or + // hostname. If 1 of 2 Gateway listeners accept attachment from + // the referencing Route, the Route MUST be considered + // successfully attached. If no Gateway listeners accept + // attachment from this Route, the Route MUST be considered + // detached from the Gateway. + // Support: Extended + // + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the following resources, SectionName is + // interpreted as the following: + // * Gateway: Listener Name. When both Port (experimental) and + // SectionName are specified, the name and port of the selected + // listener must match both specified values. * Service: Port + // Name. When both Port (experimental) and SectionName are + // specified, the name and port of the selected listener must + // match both specified values. Note that attaching Routes to + // Services as Parents is part of experimental Mesh support and + // is not supported for any other purpose. + // Implementations MAY choose to support attaching Routes to other + // resources. If that is the case, they MUST clearly document how + // SectionName is interpreted. + // When unspecified (empty string), this will reference the entire + // resource. For the purpose of status, an attachment is + // considered successful if at least one section in the parent + // resource accepts it. For example, Gateway listeners can + // restrict which Routes can attach to them by Route kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from the referencing Route, the Route MUST be + // considered successfully attached. If no Gateway listeners + // accept attachment from this Route, the Route MUST be + // considered detached from the Gateway. + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Optional service type for Kubernetes solver service. Supported + // values are NodePort or ClusterIP. If unset, defaults to + // NodePort. + serviceType?: string + } + + // The ingress based HTTP01 challenge solver will solve challenges + // by creating or modifying Ingress resources in order to route + // requests for '/.well-known/acme-challenge/XYZ' to 'challenge + // solver' pods that are provisioned by cert-manager for each + // Challenge to be completed. + ingress?: { + // This field configures the annotation + // `kubernetes.io/ingress.class` when creating Ingress resources + // to solve ACME challenges that use this challenge solver. Only + // one of `class`, `name` or `ingressClassName` may be specified. + class?: string + + // This field configures the field `ingressClassName` on the + // created Ingress resources used to solve ACME challenges that + // use this challenge solver. This is the recommended way of + // configuring the ingress class. Only one of `class`, `name` or + // `ingressClassName` may be specified. + ingressClassName?: string + ingressTemplate?: { + // ObjectMeta overrides for the ingress used to solve HTTP01 + // challenges. Only the 'labels' and 'annotations' fields may be + // set. If labels or annotations overlap with in-built values, + // the values here will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver ingress. + annotations?: { + [string]: string + } + + // Labels that should be added to the created ACME HTTP01 solver + // ingress. + labels?: { + [string]: string + } + } + } + + // The name of the ingress resource that should have ACME + // challenge solving routes inserted into it in order to solve + // HTTP01 challenges. This is typically used in conjunction with + // ingress controllers like ingress-gce, which maintains a 1:1 + // mapping between external IPs and ingress resources. Only one + // of `class`, `name` or `ingressClassName` may be specified. + name?: string + + // Optional pod template used to configure the ACME challenge + // solver pods used for HTTP01 challenges. + podTemplate?: { + // ObjectMeta overrides for the pod used to solve HTTP01 + // challenges. Only the 'labels' and 'annotations' fields may be + // set. If labels or annotations overlap with in-built values, + // the values here will override the in-built values. + metadata?: { + // Annotations that should be added to the create ACME HTTP01 + // solver pods. + annotations?: { + [string]: string + } + + // Labels that should be added to the created ACME HTTP01 solver + // pods. + labels?: { + [string]: string + } + } + + // PodSpec defines overrides for the HTTP01 challenge solver pod. + // Check ACMEChallengeSolverHTTP01IngressPodSpec to find out + // currently supported fields. All other fields will be ignored. + spec?: { + // If specified, the pod's scheduling constraints + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy the affinity expressions specified by this field, but + // it may choose a node that violates one or more of the + // expressions. The node that is most preferred is the one with + // the greatest sum of weights, i.e. for each node that meets all + // of the scheduling requirements (resource request, + // requiredDuringScheduling affinity expressions, etc.), compute + // a sum by iterating through the elements of this field and + // adding "weight" to the sum if the node matches the + // corresponding matchExpressions; the node(s) with the highest + // sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key: string + + // Represents a key's relationship to a set of values. Valid + // operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: string + + // An array of string values. If the operator is In or NotIn, the + // values array must be non-empty. If the operator is Exists or + // DoesNotExist, the values array must be empty. If the operator + // is Gt or Lt, the values array must have a single element, + // which will be interpreted as an integer. This array is + // replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key: string + + // Represents a key's relationship to a set of values. Valid + // operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: string + + // An array of string values. If the operator is In or NotIn, the + // values array must be non-empty. If the operator is Exists or + // DoesNotExist, the values array must be empty. If the operator + // is Gt or Lt, the values array must have a single element, + // which will be interpreted as an integer. This array is + // replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight: int + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key: string + + // Represents a key's relationship to a set of values. Valid + // operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: string + + // An array of string values. If the operator is In or NotIn, the + // values array must be non-empty. If the operator is Exists or + // DoesNotExist, the values array must be empty. If the operator + // is Gt or Lt, the values array must have a single element, + // which will be interpreted as an integer. This array is + // replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key: string + + // Represents a key's relationship to a set of values. Valid + // operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: string + + // An array of string values. If the operator is In or NotIn, the + // values array must be non-empty. If the operator is Exists or + // DoesNotExist, the values array must be empty. If the operator + // is Gt or Lt, the values array must have a single element, + // which will be interpreted as an integer. This array is + // replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy the affinity expressions specified by this field, but + // it may choose a node that violates one or more of the + // expressions. The node that is most preferred is the one with + // the greatest sum of weights, i.e. for each node that meets all + // of the scheduling requirements (resource request, + // requiredDuringScheduling affinity expressions, etc.), compute + // a sum by iterating through the elements of this field and + // adding "weight" to the sum if the node has pods which matches + // the corresponding podAffinityTerm; the node(s) with the + // highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm: { + // A label query over a set of resources, in this case pods. If + // it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will be taken into consideration. The keys are used to lookup + // values from the incoming pod labels, those key-value labels + // are merged with `LabelSelector` as `key in (value)` to select + // the group of existing pods which pods will be taken into + // consideration for the incoming pod's pod (anti) affinity. Keys + // that don't exist in the incoming pod labels will be ignored. + // The default value is empty. The same key is forbidden to exist + // in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys + // cannot be set when LabelSelector isn't set. This is an alpha + // field and requires enabling MatchLabelKeysInPodAffinity + // feature gate. + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will be taken into consideration. The keys are used to + // lookup values from the incoming pod labels, those key-value + // labels are merged with `LabelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration for the incoming pod's pod (anti) affinity. + // Keys that don't exist in the incoming pod labels will be + // ignored. The default value is empty. The same key is forbidden + // to exist in both MismatchLabelKeys and LabelSelector. Also, + // MismatchLabelKeys cannot be set when LabelSelector isn't set. + // This is an alpha field and requires enabling + // MatchLabelKeysInPodAffinity feature gate. + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. The term is applied to the union of the namespaces + // selected by this field and the ones listed in the namespaces + // field. null selector and null or empty namespaces list means + // "this pod's namespace". An empty selector ({}) matches all + // namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // namespaces specifies a static list of namespace names that the + // term applies to. The term is applied to the union of the + // namespaces listed in this field and the ones selected by + // namespaceSelector. null or empty namespaces list and null + // namespaceSelector means "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching the labelSelector in + // the specified namespaces, where co-located is defined as + // running on a node whose value of the label with key + // topologyKey matches that of any node on which any of the + // selected pods is running. Empty topologyKey is not allowed. + topologyKey: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, in the range 1-100. + weight: int + }] + + // If the affinity requirements specified by this field are not + // met at scheduling time, the pod will not be scheduled onto the + // node. If the affinity requirements specified by this field + // cease to be met at some point during pod execution (e.g. due + // to a pod label update), the system may or may not try to + // eventually evict the pod from its node. When there are + // multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. If + // it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will be taken into consideration. The keys are used to lookup + // values from the incoming pod labels, those key-value labels + // are merged with `LabelSelector` as `key in (value)` to select + // the group of existing pods which pods will be taken into + // consideration for the incoming pod's pod (anti) affinity. Keys + // that don't exist in the incoming pod labels will be ignored. + // The default value is empty. The same key is forbidden to exist + // in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys + // cannot be set when LabelSelector isn't set. This is an alpha + // field and requires enabling MatchLabelKeysInPodAffinity + // feature gate. + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will be taken into consideration. The keys are used to + // lookup values from the incoming pod labels, those key-value + // labels are merged with `LabelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration for the incoming pod's pod (anti) affinity. + // Keys that don't exist in the incoming pod labels will be + // ignored. The default value is empty. The same key is forbidden + // to exist in both MismatchLabelKeys and LabelSelector. Also, + // MismatchLabelKeys cannot be set when LabelSelector isn't set. + // This is an alpha field and requires enabling + // MatchLabelKeysInPodAffinity feature gate. + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. The term is applied to the union of the namespaces + // selected by this field and the ones listed in the namespaces + // field. null selector and null or empty namespaces list means + // "this pod's namespace". An empty selector ({}) matches all + // namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // namespaces specifies a static list of namespace names that the + // term applies to. The term is applied to the union of the + // namespaces listed in this field and the ones selected by + // namespaceSelector. null or empty namespaces list and null + // namespaceSelector means "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching the labelSelector in + // the specified namespaces, where co-located is defined as + // running on a node whose value of the label with key + // topologyKey matches that of any node on which any of the + // selected pods is running. Empty topologyKey is not allowed. + topologyKey: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy the anti-affinity expressions specified by this field, + // but it may choose a node that violates one or more of the + // expressions. The node that is most preferred is the one with + // the greatest sum of weights, i.e. for each node that meets all + // of the scheduling requirements (resource request, + // requiredDuringScheduling anti-affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding "weight" to the sum if the node has pods which + // matches the corresponding podAffinityTerm; the node(s) with + // the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm: { + // A label query over a set of resources, in this case pods. If + // it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will be taken into consideration. The keys are used to lookup + // values from the incoming pod labels, those key-value labels + // are merged with `LabelSelector` as `key in (value)` to select + // the group of existing pods which pods will be taken into + // consideration for the incoming pod's pod (anti) affinity. Keys + // that don't exist in the incoming pod labels will be ignored. + // The default value is empty. The same key is forbidden to exist + // in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys + // cannot be set when LabelSelector isn't set. This is an alpha + // field and requires enabling MatchLabelKeysInPodAffinity + // feature gate. + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will be taken into consideration. The keys are used to + // lookup values from the incoming pod labels, those key-value + // labels are merged with `LabelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration for the incoming pod's pod (anti) affinity. + // Keys that don't exist in the incoming pod labels will be + // ignored. The default value is empty. The same key is forbidden + // to exist in both MismatchLabelKeys and LabelSelector. Also, + // MismatchLabelKeys cannot be set when LabelSelector isn't set. + // This is an alpha field and requires enabling + // MatchLabelKeysInPodAffinity feature gate. + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. The term is applied to the union of the namespaces + // selected by this field and the ones listed in the namespaces + // field. null selector and null or empty namespaces list means + // "this pod's namespace". An empty selector ({}) matches all + // namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // namespaces specifies a static list of namespace names that the + // term applies to. The term is applied to the union of the + // namespaces listed in this field and the ones selected by + // namespaceSelector. null or empty namespaces list and null + // namespaceSelector means "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching the labelSelector in + // the specified namespaces, where co-located is defined as + // running on a node whose value of the label with key + // topologyKey matches that of any node on which any of the + // selected pods is running. Empty topologyKey is not allowed. + topologyKey: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, in the range 1-100. + weight: int + }] + + // If the anti-affinity requirements specified by this field are + // not met at scheduling time, the pod will not be scheduled onto + // the node. If the anti-affinity requirements specified by this + // field cease to be met at some point during pod execution (e.g. + // due to a pod label update), the system may or may not try to + // eventually evict the pod from its node. When there are + // multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. If + // it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will be taken into consideration. The keys are used to lookup + // values from the incoming pod labels, those key-value labels + // are merged with `LabelSelector` as `key in (value)` to select + // the group of existing pods which pods will be taken into + // consideration for the incoming pod's pod (anti) affinity. Keys + // that don't exist in the incoming pod labels will be ignored. + // The default value is empty. The same key is forbidden to exist + // in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys + // cannot be set when LabelSelector isn't set. This is an alpha + // field and requires enabling MatchLabelKeysInPodAffinity + // feature gate. + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will be taken into consideration. The keys are used to + // lookup values from the incoming pod labels, those key-value + // labels are merged with `LabelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration for the incoming pod's pod (anti) affinity. + // Keys that don't exist in the incoming pod labels will be + // ignored. The default value is empty. The same key is forbidden + // to exist in both MismatchLabelKeys and LabelSelector. Also, + // MismatchLabelKeys cannot be set when LabelSelector isn't set. + // This is an alpha field and requires enabling + // MatchLabelKeysInPodAffinity feature gate. + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. The term is applied to the union of the namespaces + // selected by this field and the ones listed in the namespaces + // field. null selector and null or empty namespaces list means + // "this pod's namespace". An empty selector ({}) matches all + // namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: string + + // values is an array of string values. If the operator is In or + // NotIn, the values array must be non-empty. If the operator is + // Exists or DoesNotExist, the values array must be empty. This + // array is replaced during a strategic merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels map is equivalent to an element of + // matchExpressions, whose key field is "key", the operator is + // "In", and the values array contains only "value". The + // requirements are ANDed. + matchLabels?: { + [string]: string + } + } + + // namespaces specifies a static list of namespace names that the + // term applies to. The term is applied to the union of the + // namespaces listed in this field and the ones selected by + // namespaceSelector. null or empty namespaces list and null + // namespaceSelector means "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching the labelSelector in + // the specified namespaces, where co-located is defined as + // running on a node whose value of the label with key + // topologyKey matches that of any node on which any of the + // selected pods is running. Empty topologyKey is not allowed. + topologyKey: string + }] + } + } + + // If specified, the pod's imagePullSecrets + imagePullSecrets?: [...{ + // Name of the referent. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // TODO: Add other useful fields. apiVersion, kind, uid? + name?: string + }] + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. Selector which must match a node's labels for + // the pod to be scheduled on that node. More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: { + [string]: string + } + + // If specified, the pod's priorityClassName. + priorityClassName?: string + + // If specified, the pod's service account + serviceAccountName?: string + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. When specified, allowed values are + // NoSchedule, PreferNoSchedule and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. If the key is empty, operator must + // be Exists; this combination means to match all values and all + // keys. + key?: string + + // Operator represents a key's relationship to the value. Valid + // operators are Exists and Equal. Defaults to Equal. Exists is + // equivalent to wildcard for value, so that a pod can tolerate + // all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be of effect NoExecute, otherwise this field is + // ignored) tolerates the taint. By default, it is not set, which + // means tolerate the taint forever (do not evict). Zero and + // negative values will be treated as 0 (evict immediately) by + // the system. + tolerationSeconds?: int + + // Value is the taint value the toleration matches to. If the + // operator is Exists, the value should be empty, otherwise just + // a regular string. + value?: string + }] + } + } + + // Optional service type for Kubernetes solver service. Supported + // values are NodePort or ClusterIP. If unset, defaults to + // NodePort. + serviceType?: string + } + } + + // Selector selects a set of DNSNames on the Certificate resource + // that should be solved using this challenge solver. If not + // specified, the solver will be treated as the 'default' solver + // with the lowest priority, i.e. if any other solver has a more + // specific match, it will be used instead. + selector?: { + // List of DNSNames that this solver will be used to solve. If + // specified and a match is found, a dnsNames selector will take + // precedence over a dnsZones selector. If multiple solvers match + // with the same dnsNames value, the solver with the most + // matching labels in matchLabels will be selected. If neither + // has more matches, the solver defined earlier in the list will + // be selected. + dnsNames?: [...string] + + // List of DNSZones that this solver will be used to solve. The + // most specific DNS zone match specified here will take + // precedence over other DNS zone matches, so a solver specifying + // sys.example.com will be selected over one specifying + // example.com for the domain www.sys.example.com. If multiple + // solvers match with the same dnsZones value, the solver with + // the most matching labels in matchLabels will be selected. If + // neither has more matches, the solver defined earlier in the + // list will be selected. + dnsZones?: [...string] + + // A label selector that is used to refine the set of + // certificate's that this challenge solver will apply to. + matchLabels?: { + [string]: string + } + } + }] + } + + // CA configures this issuer to sign certificates using a signing + // CA keypair stored in a Secret resource. This is used to build + // internal PKIs that are managed by cert-manager. + ca?: { + // The CRL distribution points is an X.509 v3 certificate + // extension which identifies the location of the CRL from which + // the revocation of this certificate can be checked. If not set, + // certificates will be issued without distribution points set. + crlDistributionPoints?: [...string] + + // IssuingCertificateURLs is a list of URLs which this issuer + // should embed into certificates it creates. See + // https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for + // more details. As an example, such a URL might be + // "http://ca.domain.com/ca.crt". + issuingCertificateURLs?: [...string] + + // The OCSP server list is an X.509 v3 extension that defines a + // list of URLs of OCSP responders. The OCSP responders can be + // queried for the revocation status of an issued certificate. If + // not set, the certificate will be issued with no OCSP servers + // set. For example, an OCSP server URL could be + // "http://ocsp.int-x3.letsencrypt.org". + ocspServers?: [...string] + + // SecretName is the name of the secret used to sign Certificates + // issued by this Issuer. + secretName: string + } + selfSigned?: { + // The CRL distribution points is an X.509 v3 certificate + // extension which identifies the location of the CRL from which + // the revocation of this certificate can be checked. If not set + // certificate will be issued without CDP. Values are strings. + crlDistributionPoints?: [...string] + } + + // Vault configures this issuer to sign certificates using a + // HashiCorp Vault PKI backend. + vault?: { + // Auth configures how cert-manager authenticates with the Vault + // server. + auth: { + // AppRole authenticates with Vault using the App Role auth + // mechanism, with the role and secret stored in a Kubernetes + // Secret resource. + appRole?: { + // Path where the App Role authentication backend is mounted in + // Vault, e.g: "approle" + path: string + + // RoleID configured in the App Role authentication backend when + // setting up the authentication backend in Vault. + roleId: string + + // Reference to a key in a Secret that contains the App Role + // secret used to authenticate with Vault. The `key` field must + // be specified and denotes which entry within the Secret + // resource is used as the app role secret. + secretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // Kubernetes authenticates with Vault by passing the + // ServiceAccount token stored in the named Secret resource to + // the Vault server. + kubernetes?: { + // The Vault mountPath here is the mount path to use when + // authenticating with Vault. For example, setting a value to + // `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to + // authenticate with Vault. If unspecified, the default value + // "/v1/auth/kubernetes" will be used. + mountPath?: string + + // A required field containing the Vault Role to assume. A Role + // binds a Kubernetes ServiceAccount with a set of Vault + // policies. + role: string + + // The required Secret field containing a Kubernetes + // ServiceAccount JWT used for authenticating with Vault. Use of + // 'ambient credentials' is not supported. + secretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + serviceAccountRef?: { + // Name of the ServiceAccount used to request a token. + name: string + } + } + + // TokenSecretRef authenticates with Vault by presenting a token. + tokenSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + } + + // Base64-encoded bundle of PEM CAs which will be used to validate + // the certificate chain presented by Vault. Only used if using + // HTTPS to connect to Vault and ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. If neither CABundle + // nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the + // TLS connection. + caBundle?: string + + // Reference to a Secret containing a bundle of PEM-encoded CAs to + // use when verifying the certificate chain presented by Vault + // when using HTTPS. Mutually exclusive with CABundle. If neither + // CABundle nor CABundleSecretRef are defined, the certificate + // bundle in the cert-manager controller container is used to + // validate the TLS connection. If no key for the Secret is + // specified, cert-manager will default to 'ca.crt'. + caBundleSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // Name of the vault namespace. Namespaces is a set of features + // within Vault Enterprise that allows Vault environments to + // support Secure Multi-tenancy. e.g: "ns1" More about namespaces + // can be found here + // https://www.vaultproject.io/docs/enterprise/namespaces + namespace?: string + + // Path is the mount path of the Vault PKI backend's `sign` + // endpoint, e.g: "my_pki_mount/sign/my-role-name". + path: string + + // Server is the connection address for the Vault server, e.g: + // "https://vault.example.com:8200". + server: string + } + + // Venafi configures this issuer to sign certificates using a + // Venafi TPP or Venafi Cloud policy zone. + venafi?: { + // Cloud specifies the Venafi cloud configuration settings. Only + // one of TPP or Cloud may be specified. + cloud?: { + // APITokenSecretRef is a secret key selector for the Venafi Cloud + // API token. + apiTokenSecretRef: { + // The key of the entry in the Secret resource's `data` field to + // be used. Some instances of this field may be defaulted, in + // others it may be required. + key?: string + + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // URL is the base URL for Venafi Cloud. Defaults to + // "https://api.venafi.cloud/v1". + url?: string + } + + // TPP specifies Trust Protection Platform configuration settings. + // Only one of TPP or Cloud may be specified. + tpp?: { + // Base64-encoded bundle of PEM CAs which will be used to validate + // the certificate chain presented by the TPP server. Only used + // if using HTTPS; ignored for HTTP. If undefined, the + // certificate bundle in the cert-manager controller container is + // used to validate the chain. + caBundle?: string + credentialsRef: { + // Name of the resource being referred to. More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string + } + + // URL is the base URL for the vedsdk endpoint of the Venafi TPP + // instance, for example: "https://tpp.example.com/vedsdk". + url: string + } + + // Zone is the Venafi Policy Zone to use for this issuer. All + // requests made to the Venafi platform will be restricted by the + // named zone policy. This field is required. + zone: string + } +} diff --git a/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue new file mode 100644 index 0000000..597f5b0 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +#GroupName: "admission.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue new file mode 100644 index 0000000..af26bd0 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue @@ -0,0 +1,172 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + authenticationv1 "k8s.io/api/authentication/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +// AdmissionReview describes an admission review request/response. +#AdmissionReview: { + metav1.#TypeMeta + + // Request describes the attributes for the admission request. + // +optional + request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt) + + // Response describes the attributes for the admission response. + // +optional + response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt) +} + +// AdmissionRequest describes the admission.Attributes for the admission request. +#AdmissionRequest: { + // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + // otherwise identical (parallel requests, requests when earlier requests did not modify etc) + // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) + kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt) + + // Resource is the fully-qualified resource being requested (for example, v1.pods) + resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt) + + // SubResource is the subresource being requested, if any (for example, "status" or "scale") + // +optional + subResource?: string @go(SubResource) @protobuf(4,bytes,opt) + + // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type for more details. + // +optional + requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt) + + // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt) + + // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt) + + // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + // rely on the server to generate the name. If that is the case, this field will contain an empty string. + // +optional + name?: string @go(Name) @protobuf(5,bytes,opt) + + // Namespace is the namespace associated with the request (if any). + // +optional + namespace?: string @go(Namespace) @protobuf(6,bytes,opt) + + // Operation is the operation being performed. This may be different than the operation + // requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + operation: #Operation @go(Operation) @protobuf(7,bytes,opt) + + // UserInfo is information about the requesting user + userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt) + + // Object is the object from the incoming request. + // +optional + object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt) + + // OldObject is the existing object. Only populated for DELETE and UPDATE requests. + // +optional + oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt) + + // DryRun indicates that modifications will definitely not be persisted for this request. + // Defaults to false. + // +optional + dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt) + + // Options is the operation option structure of the operation being performed. + // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + // different than the options the caller provided. e.g. for a patch request the performed + // Operation might be a CREATE, in which case the Options will a + // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + // +optional + options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt) +} + +// AdmissionResponse describes an admission response. +#AdmissionResponse: { + // UID is an identifier for the individual request/response. + // This must be copied over from the corresponding AdmissionRequest. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Allowed indicates whether or not the admission request was permitted. + allowed: bool @go(Allowed) @protobuf(2,varint,opt) + + // Result contains extra details into why an admission request was denied. + // This field IS NOT consulted in any way if "Allowed" is "true". + // +optional + status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt) + + // The patch body. Currently we only support "JSONPatch" which implements RFC 6902. + // +optional + patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt) + + // The type of Patch. Currently we only allow "JSONPatch". + // +optional + patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt) + + // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). + // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with + // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by + // the admission webhook to add additional context to the audit log for this request. + // +optional + auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt) + + // warnings is a list of warning messages to return to the requesting API client. + // Warning messages describe a problem the client making the API request should correct or be aware of. + // Limit warnings to 120 characters if possible. + // Warnings over 256 characters and large numbers of warnings may be truncated. + // +optional + warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep) +} + +// PatchType is the type of patch being used to represent the mutated object +#PatchType: string // #enumPatchType + +#enumPatchType: + #PatchTypeJSONPatch + +#PatchTypeJSONPatch: #PatchType & "JSONPatch" + +// Operation is the type of resource operation being checked for admission control +#Operation: string // #enumOperation + +#enumOperation: + #Create | + #Update | + #Delete | + #Connect + +#Create: #Operation & "CREATE" +#Update: #Operation & "UPDATE" +#Delete: #Operation & "DELETE" +#Connect: #Operation & "CONNECT" diff --git a/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue b/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue new file mode 100644 index 0000000..5d30100 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +// Package v1 is the v1 version of the API. +// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration +// MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the +// new dynamic admission controller configuration. +package v1 diff --git a/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue new file mode 100644 index 0000000..93348e9 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +#GroupName: "admissionregistration.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue new file mode 100644 index 0000000..7038db0 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue @@ -0,0 +1,645 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended +// to make sure that all the tuple expansions are valid. +#Rule: { + // APIGroups is the API groups the resources belong to. '*' is all groups. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep) + + // APIVersions is the API versions the resources belong to. '*' is all versions. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. + // + // For example: + // 'pods' means pods. + // 'pods/log' means the log subresource of pods. + // '*' means all resources, but not subresources. + // 'pods/*' means all subresources of pods. + // '*/scale' means all scale subresources. + // '*/*' means all resources and their subresources. + // + // If wildcard is present, the validation rule will ensure resources do not + // overlap with each other. + // + // Depending on the enclosing object, subresources might not be allowed. + // Required. + // +listType=atomic + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // scope specifies the scope of this rule. + // Valid values are "Cluster", "Namespaced", and "*" + // "Cluster" means that only cluster-scoped resources will match this rule. + // Namespace API objects are cluster-scoped. + // "Namespaced" means that only namespaced resources will match this rule. + // "*" means that there are no scope restrictions. + // Subresources match the scope of their parent resource. + // Default is "*". + // + // +optional + scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep) +} + +// ScopeType specifies a scope for a Rule. +// +enum +#ScopeType: string // #enumScopeType + +#enumScopeType: + #ClusterScope | + #NamespacedScope | + #AllScopes + +// ClusterScope means that scope is limited to cluster-scoped objects. +// Namespace objects are cluster-scoped. +#ClusterScope: #ScopeType & "Cluster" + +// NamespacedScope means that scope is limited to namespaced objects. +#NamespacedScope: #ScopeType & "Namespaced" + +// AllScopes means that all scopes are included. +#AllScopes: #ScopeType & "*" + +// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +// +enum +#FailurePolicyType: string // #enumFailurePolicyType + +#enumFailurePolicyType: + #Ignore | + #Fail + +// Ignore means that an error calling the webhook is ignored. +#Ignore: #FailurePolicyType & "Ignore" + +// Fail means that an error calling the webhook causes the admission to fail. +#Fail: #FailurePolicyType & "Fail" + +// MatchPolicyType specifies the type of match policy. +// +enum +#MatchPolicyType: string // #enumMatchPolicyType + +#enumMatchPolicyType: + #Exact | + #Equivalent + +// Exact means requests should only be sent to the webhook if they exactly match a given rule. +#Exact: #MatchPolicyType & "Exact" + +// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. +#Equivalent: #MatchPolicyType & "Equivalent" + +// SideEffectClass specifies the types of side effects a webhook may have. +// +enum +#SideEffectClass: string // #enumSideEffectClass + +#enumSideEffectClass: + #SideEffectClassUnknown | + #SideEffectClassNone | + #SideEffectClassSome | + #SideEffectClassNoneOnDryRun + +// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassUnknown: #SideEffectClass & "Unknown" + +// SideEffectClassNone means that calling the webhook will have no side effects. +#SideEffectClassNone: #SideEffectClass & "None" + +// SideEffectClassSome means that calling the webhook will possibly have side effects. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassSome: #SideEffectClass & "Some" + +// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the +// request being reviewed has the dry-run attribute, the side effects will be suppressed. +#SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun" + +// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. +#ValidatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration. +#ValidatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ValidatingWebhookConfiguration. + items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. +#MutatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration. +#MutatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of MutatingWebhookConfiguration. + items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// ValidatingWebhook describes an admission webhook and the resources and operations it applies to. +#ValidatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt) +} + +// MutatingWebhook describes an admission webhook and the resources and operations it applies to. +#MutatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. + // Allowed values are "Never" and "IfNeeded". + // + // Never: the webhook will not be called more than once in a single admission evaluation. + // + // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation + // if the object being admitted is modified by other admission plugins after the initial webhook call. + // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. + // Note: + // * the number of additional invocations is not guaranteed to be exactly one. + // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. + // * webhooks that use this option may be reordered to minimize the number of additional invocations. + // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. + // + // Defaults to "Never". + // +optional + reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt) +} + +// ReinvocationPolicyType specifies what type of policy the admission hook uses. +// +enum +#ReinvocationPolicyType: string // #enumReinvocationPolicyType + +#enumReinvocationPolicyType: + #NeverReinvocationPolicy | + #IfNeededReinvocationPolicy + +// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a +// single admission evaluation. +#NeverReinvocationPolicy: #ReinvocationPolicyType & "Never" + +// IfNeededReinvocationPolicy indicates that the webhook may be called at least one +// additional time as part of the admission evaluation if the object being admitted is +// modified by other admission plugins after the initial webhook call. +#IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded" + +// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make +// sure that all the tuple expansions are valid. +#RuleWithOperations: { + // Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + // for all of those operations and any future admission operations that are added. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType) + + #Rule +} + +// OperationType specifies an operation for a request. +// +enum +#OperationType: string // #enumOperationType + +#enumOperationType: + #OperationAll | + #Create | + #Update | + #Delete | + #Connect + +#OperationAll: #OperationType & "*" +#Create: #OperationType & "CREATE" +#Update: #OperationType & "UPDATE" +#Delete: #OperationType & "DELETE" +#Connect: #OperationType & "CONNECT" + +// WebhookClientConfig contains the information to make a TLS +// connection with the webhook +#WebhookClientConfig: { + // `url` gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // `service` is a reference to the service for this webhook. Either + // `service` or `url` must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // `namespace` is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // `name` is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // `path` is an optional URL path which will be sent in any request to + // this service. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // If specified, the port on the service that hosting webhook. + // Default to 443 for backward compatibility. + // `port` should be a valid port number (1-65535, inclusive). + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. +#MatchCondition: { + // Name is an identifier for this match condition, used for strategic merging of MatchConditions, + // as well as providing an identifier for logging purposes. A good name should be descriptive of + // the associated expression. + // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + // + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + // + // 'object' - The object from the incoming request. The value is null for DELETE requests. + // 'oldObject' - The existing object. The value is null for CREATE requests. + // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + // request resource. + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // Required. + expression: string @go(Expression) @protobuf(2,bytes,opt) +} diff --git a/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue new file mode 100644 index 0000000..0825600 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +#GroupName: "authentication.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue new file mode 100644 index 0000000..5f0127a --- /dev/null +++ b/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" +) + +// ImpersonateUserHeader is used to impersonate a particular user during an API server request +#ImpersonateUserHeader: "Impersonate-User" + +// ImpersonateGroupHeader is used to impersonate a particular group during an API server request. +// It can be repeated multiplied times for multiple groups. +#ImpersonateGroupHeader: "Impersonate-Group" + +// ImpersonateUIDHeader is used to impersonate a particular UID during an API server request +#ImpersonateUIDHeader: "Impersonate-Uid" + +// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the +// extra map[string][]string for user.Info. The key will be every after the prefix. +// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple +// times to have multiple elements in the slice under a single key +#ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-" + +// TokenReview attempts to authenticate a token to a known user. +// Note: TokenReview requests may be cached by the webhook token authenticator +// plugin in the kube-apiserver. +#TokenReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request can be authenticated. + // +optional + status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenReviewSpec is a description of the token authentication request. +#TokenReviewSpec: { + // Token is the opaque bearer token. + // +optional + token?: string @go(Token) @protobuf(1,bytes,opt) + + // Audiences is a list of the identifiers that the resource server presented + // with the token identifies as. Audience-aware token authenticators will + // verify that the token was intended for at least one of the audiences in + // this list. If no audiences are provided, the audience will default to the + // audience of the Kubernetes apiserver. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep) +} + +// TokenReviewStatus is the result of the token authentication request. +#TokenReviewStatus: { + // Authenticated indicates that the token was associated with a known user. + // +optional + authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt) + + // User is the UserInfo associated with the provided token. + // +optional + user?: #UserInfo @go(User) @protobuf(2,bytes,opt) + + // Audiences are audience identifiers chosen by the authenticator that are + // compatible with both the TokenReview and token. An identifier is any + // identifier in the intersection of the TokenReviewSpec audiences and the + // token's audiences. A client of the TokenReview API that sets the + // spec.audiences field should validate that a compatible audience identifier + // is returned in the status.audiences field to ensure that the TokenReview + // server is audience aware. If a TokenReview returns an empty + // status.audience field where status.authenticated is "true", the token is + // valid against the audience of the Kubernetes API server. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep) + + // Error indicates that the token couldn't be checked + // +optional + error?: string @go(Error) @protobuf(3,bytes,opt) +} + +// UserInfo holds the information about the user needed to implement the +// user.Info interface. +#UserInfo: { + // The name that uniquely identifies this user among all active users. + // +optional + username?: string @go(Username) @protobuf(1,bytes,opt) + + // A unique value that identifies this user across time. If this user is + // deleted and another user by the same name is added, they will have + // different UIDs. + // +optional + uid?: string @go(UID) @protobuf(2,bytes,opt) + + // The names of groups this user is a part of. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep) + + // Any additional information provided by the authenticator. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// TokenRequest requests a token for a given service account. +#TokenRequest: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the token can be authenticated. + // +optional + status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenRequestSpec contains client provided parameters of a token request. +#TokenRequestSpec: { + // Audiences are the intendend audiences of the token. A recipient of a + // token must identify themself with an identifier in the list of + // audiences of the token, and otherwise should reject the token. A + // token issued for multiple audiences may be used to authenticate + // against any of the audiences listed but implies a high degree of + // trust between the target audiences. + audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep) + + // ExpirationSeconds is the requested duration of validity of the request. The + // token issuer may return a token with a different validity duration so a + // client needs to check the 'expiration' field in a response. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt) + + // BoundObjectRef is a reference to an object that the token will be bound to. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server's TokenReview endpoint will validate the + // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds + // small if you want prompt revocation. + // +optional + boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt) +} + +// TokenRequestStatus is the result of a token request. +#TokenRequestStatus: { + // Token is the opaque bearer token. + token: string @go(Token) @protobuf(1,bytes,opt) + + // ExpirationTimestamp is the time of expiration of the returned token. + expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt) +} + +// BoundObjectReference is a reference to an object that a token is bound to. +#BoundObjectReference: { + // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) + + // Name of the referent. + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. +// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or +// request header authentication is used, any extra keys will have their case ignored and returned as lowercase. +#SelfSubjectReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Status is filled in by the server with the user attributes. + status?: #SelfSubjectReviewStatus @go(Status) @protobuf(2,bytes,opt) +} + +// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. +#SelfSubjectReviewStatus: { + // User attributes of the user making this request. + // +optional + userInfo?: #UserInfo @go(UserInfo) @protobuf(1,bytes,opt) +} diff --git a/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue new file mode 100644 index 0000000..afd54ec --- /dev/null +++ b/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +#GroupName: "authorization.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue new file mode 100644 index 0000000..6eaf818 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue @@ -0,0 +1,262 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// SubjectAccessReview checks whether or not a user or group can perform an action. +#SubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a +// spec.namespace means "in all namespaces". Self is a special case, because users should always be able +// to check whether they can perform an action +#SelfSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. user and groups must be empty + spec: #SelfSubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. +// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions +// checking. +#LocalSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace + // you made the request against. If empty, it is defaulted. + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface +#ResourceAttributes: { + // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces + // "" (empty) is defaulted for LocalSubjectAccessReviews + // "" (empty) is empty for cluster-scoped resources + // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview + // +optional + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) + + // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) + + // Group is the API Group of the Resource. "*" means all. + // +optional + group?: string @go(Group) @protobuf(3,bytes,opt) + + // Version is the API Version of the Resource. "*" means all. + // +optional + version?: string @go(Version) @protobuf(4,bytes,opt) + + // Resource is one of the existing resource types. "*" means all. + // +optional + resource?: string @go(Resource) @protobuf(5,bytes,opt) + + // Subresource is one of the existing resource types. "" means none. + // +optional + subresource?: string @go(Subresource) @protobuf(6,bytes,opt) + + // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. + // +optional + name?: string @go(Name) @protobuf(7,bytes,opt) +} + +// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface +#NonResourceAttributes: { + // Path is the URL path of the request + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Verb is the standard HTTP verb + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) + + // User is the user you're testing for. + // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // Groups is the groups you're testing for. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer + // it needs a reflection here. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(5,bytes,rep) + + // UID information about the requesting user. + // +optional + uid?: string @go(UID) @protobuf(6,bytes,opt) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SelfSubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewStatus +#SubjectAccessReviewStatus: { + // Allowed is required. True if the action would be allowed, false otherwise. + allowed: bool @go(Allowed) @protobuf(1,varint,opt) + + // Denied is optional. True if the action would be denied, otherwise + // false. If both allowed is false and denied is false, then the + // authorizer has no opinion on whether to authorize the action. Denied + // may not be true if Allowed is true. + // +optional + denied?: bool @go(Denied) @protobuf(4,varint,opt) + + // Reason is optional. It indicates why a request was allowed or denied. + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // EvaluationError is an indication that some error occurred during the authorization check. + // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. + // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +#SelfSubjectRulesReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. + spec: #SelfSubjectRulesReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + status?: #SubjectRulesReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview. +#SelfSubjectRulesReviewSpec: { + // Namespace to evaluate rules for. Required. + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) +} + +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +#SubjectRulesReviewStatus: { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + resourceRules: [...#ResourceRule] @go(ResourceRules,[]ResourceRule) @protobuf(1,bytes,rep) + + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + nonResourceRules: [...#NonResourceRule] @go(NonResourceRules,[]NonResourceRule) @protobuf(2,bytes,rep) + + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + incomplete: bool @go(Incomplete) @protobuf(3,bytes,rep) + + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(4,bytes,opt) +} + +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +#ResourceRule: { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. + // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) +} + +// NonResourceRule holds information that describes a rule for the non-resource +#NonResourceRule: { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue new file mode 100644 index 0000000..0a7f342 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +#GroupName: "autoscaling" diff --git a/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue new file mode 100644 index 0000000..6e873a3 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue @@ -0,0 +1,542 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/api/core/v1" +) + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +// +structType=atomic +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// specification of a horizontal pod autoscaler. +#HorizontalPodAutoscalerSpec: { + // reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption + // and will set the desired number of pods by using its Scale subresource. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; + // if not specified the default autoscaling policy will be used. + // +optional + targetCPUUtilizationPercentage?: null | int32 @go(TargetCPUUtilizationPercentage,*int32) @protobuf(4,varint,opt) +} + +// current status of a horizontal pod autoscaler +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is the current number of replicas of pods managed by this autoscaler. + currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, + // e.g. 70 means that an average pod is using now 70% of its requested CPU. + // +optional + currentCPUUtilizationPercentage?: null | int32 @go(CurrentCPUUtilizationPercentage,*int32) @protobuf(5,varint,opt) +} + +// configuration of a horizontal pod autoscaler. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} + +// Scale represents a scaling request for a resource. +#Scale: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #ScaleSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only. + // +optional + status?: #ScaleStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ScaleSpec describes the attributes of a scale subresource. +#ScaleSpec: { + // replicas is the desired number of instances for the scaled object. + // +optional + replicas?: int32 @go(Replicas) @protobuf(1,varint,opt) +} + +// ScaleStatus represents the current status of a scale subresource. +#ScaleStatus: { + // replicas is the actual number of observed instances of the scaled object. + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // selector is the label query over pods that should match the replicas count. This is same + // as the label selector but in the string format to avoid introspection + // by clients. The string will be in the same format as the query-param syntax. + // More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // +optional + selector?: string @go(Selector) @protobuf(2,bytes,opt) +} + +// MetricSourceType indicates the type of metric. +// +enum +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod of the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // targetValue is the target value of the metric (as a quantity). + targetValue: resource.#Quantity @go(TargetValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric. + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // targetAverageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + targetAverageValue: resource.#Quantity @go(TargetAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in the requests and limits, describing a single container in +// each of the pods of the current scale target(e.g. CPU or memory). The values will be +// averaged together before being compared to the target. Such metrics are built into +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // container is the name of the container in the pods of the scaling target. + container: string @go(Container) @protobuf(5,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // targetValue is the target value of the metric (as a quantity). + // Mutually exclusive with TargetAverageValue. + // +optional + targetValue?: null | resource.#Quantity @go(TargetValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // targetAverageValue is the target per-pod value of global metric (as a quantity). + // Mutually exclusive with TargetValue. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // currentValue is the current value of the metric (as a quantity). + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // currentAverageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) + + // container is the name of the container in the pods of the scaling taget + container: string @go(Container) @protobuf(4,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metricName is the name of a metric used for autoscaling in + // metric system. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // currentValue is the current value of the metric (as a quantity) + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // currentAverageValue is the current value of metric averaged over autoscaled pods. + // +optional + currentAverageValue?: null | resource.#Quantity @go(CurrentAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} diff --git a/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue b/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue new file mode 100644 index 0000000..aea0fb2 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +#GroupName: "autoscaling" diff --git a/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue b/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue new file mode 100644 index 0000000..7670208 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue @@ -0,0 +1,597 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// HorizontalPodAutoscaler is the configuration for a horizontal pod +// autoscaler, which automatically manages the replica count of any resource +// implementing the scale subresource based on the metrics specified. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // metadata is the standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification for the behaviour of the autoscaler. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler. +#HorizontalPodAutoscalerSpec: { + // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics + // should be collected, as well as to actually change the replica count. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. + // It cannot be less that minReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // metrics contains the specifications for which to use to calculate the + // desired replica count (the maximum replica count across all metrics will + // be used). The desired replica count is calculated multiplying the + // ratio between the target value and the current value by the current + // number of pods. Ergo, metrics used must decrease as the pod count is + // increased, and vice-versa. See the individual metric source types for + // more information about how each type of metric must respond. + // If not set, the default metric will be set to 80% average CPU utilization. + // +listType=atomic + // +optional + metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep) + + // behavior configures the scaling behavior of the target + // in both Up and Down directions (scaleUp and scaleDown fields respectively). + // If not set, the default HPAScalingRules for scale up and scale down are used. + // +optional + behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt) +} + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in + // each pod of the current scale target (e.g. CPU or memory). Such metrics are + // built in to Kubernetes, and have special scaling options on top of those + // available to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target +// in both Up and Down directions (scaleUp and scaleDown fields respectively). +#HorizontalPodAutoscalerBehavior: { + // scaleUp is scaling policy for scaling Up. + // If not set, the default value is the higher of: + // * increase no more than 4 pods per 60 seconds + // * double the number of pods per 60 seconds + // No stabilization is used. + // +optional + scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt) + + // scaleDown is scaling policy for scaling Down. + // If not set, the default value is to allow to scale down to minReplicas pods, with a + // 300 second stabilization window (i.e., the highest recommendation for + // the last 300sec is used). + // +optional + scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt) +} + +// ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction +#ScalingPolicySelect: string // #enumScalingPolicySelect + +#enumScalingPolicySelect: + #MaxChangePolicySelect | + #MinChangePolicySelect | + #DisabledPolicySelect + +// MaxChangePolicySelect selects the policy with the highest possible change. +#MaxChangePolicySelect: #ScalingPolicySelect & "Max" + +// MinChangePolicySelect selects the policy with the lowest possible change. +#MinChangePolicySelect: #ScalingPolicySelect & "Min" + +// DisabledPolicySelect disables the scaling in this direction. +#DisabledPolicySelect: #ScalingPolicySelect & "Disabled" + +// HPAScalingRules configures the scaling behavior for one direction. +// These Rules are applied after calculating DesiredReplicas from metrics for the HPA. +// They can limit the scaling velocity by specifying scaling policies. +// They can prevent flapping by specifying the stabilization window, so that the +// number of replicas is not set instantly, instead, the safest value from the stabilization +// window is chosen. +#HPAScalingRules: { + // stabilizationWindowSeconds is the number of seconds for which past recommendations should be + // considered while scaling up or scaling down. + // StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + // If not set, use the default values: + // - For scale up: 0 (i.e. no stabilization is done). + // - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + // +optional + stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt) + + // selectPolicy is used to specify which policy should be used. + // If not set, the default value Max is used. + // +optional + selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt) + + // policies is a list of potential scaling polices which can be used during scaling. + // At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + // +listType=atomic + // +optional + policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep) +} + +// HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions. +#HPAScalingPolicyType: string // #enumHPAScalingPolicyType + +#enumHPAScalingPolicyType: + #PodsScalingPolicy | + #PercentScalingPolicy + +// PodsScalingPolicy is a policy used to specify a change in absolute number of pods. +#PodsScalingPolicy: #HPAScalingPolicyType & "Pods" + +// PercentScalingPolicy is a policy used to specify a relative amount of change with respect to +// the current number of pods. +#PercentScalingPolicy: #HPAScalingPolicyType & "Percent" + +// HPAScalingPolicy is a single policy which must hold true for a specified past interval. +#HPAScalingPolicy: { + // type is used to specify the scaling policy. + type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType) + + // value contains the amount of change which is permitted by the policy. + // It must be greater than zero + value: int32 @go(Value) @protobuf(2,varint,opt) + + // periodSeconds specifies the window of time for which the policy should hold true. + // PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt) +} + +// MetricSourceType indicates the type of metric. +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // describedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// MetricIdentifier defines the name and optionally selector for a metric +#MetricIdentifier: { + // name is the name of the given metric + name: string @go(Name) @protobuf(1,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes) +} + +// MetricTarget defines the target value, average value, or average utilization of a specific metric +#MetricTarget: { + // type represents whether the metric type is Utilization, Value, or AverageValue + type: #MetricTargetType @go(Type) @protobuf(1,bytes) + + // value is the target value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt) +} + +// MetricTargetType specifies the type of metric being targeted, and should be either +// "Value", "AverageValue", or "Utilization" +#MetricTargetType: string // #enumMetricTargetType + +#enumMetricTargetType: + #UtilizationMetricType | + #ValueMetricType | + #AverageValueMetricType + +// UtilizationMetricType declares a MetricTarget is an AverageUtilization value +#UtilizationMetricType: #MetricTargetType & "Utilization" + +// ValueMetricType declares a MetricTarget is a raw value +#ValueMetricType: #MetricTargetType & "Value" + +// AverageValueMetricType declares a MetricTarget is an +#AverageValueMetricType: #MetricTargetType & "AverageValue" + +// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler. +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is current number of replicas of pods managed by this autoscaler, + // as last seen by the autoscaler. + // +optional + currentReplicas?: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler, + // as last calculated by the autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentMetrics is the last read state of the metrics used by this autoscaler. + // +listType=atomic + // +optional + currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep) + + // conditions is the set of conditions required for this autoscaler to scale its target, + // and indicates whether or not those conditions are met. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // container resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // DescribedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// MetricValueStatus holds the current value for a metric +#MetricValueStatus: { + // value is the current value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // metadata is the standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue new file mode 100644 index 0000000..5c48908 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +#GroupName: "batch" diff --git a/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue new file mode 100644 index 0000000..3cbdc66 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue @@ -0,0 +1,693 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" +) + +// All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels +// More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions +_#labelPrefix: "batch.kubernetes.io/" + +// CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job. +// It records the original/expected scheduled timestamp for the running job, represented in RFC3339. +// The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled. +#CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp" +#JobCompletionIndexAnnotation: "batch.kubernetes.io/job-completion-index" + +// JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from +// being deleted before being accounted in the Job status. +// +// Additionally, the apiserver and job controller use this string as a Job +// annotation, to mark Jobs that are being tracked using pod finalizers. +// However, this behavior is deprecated in kubernetes 1.26. This means that, in +// 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the +// apiserver and job controller will ignore this annotation and they will +// always track jobs using finalizers. +#JobTrackingFinalizer: "batch.kubernetes.io/job-tracking" + +// The Job labels will use batch.kubernetes.io as a prefix for all labels +// Historically the job controller uses unprefixed labels for job-name and controller-uid and +// Kubernetes continutes to recognize those unprefixed labels for consistency. +#JobNameLabel: "batch.kubernetes.io/job-name" + +// ControllerUid is used to programatically get pods corresponding to a Job. +// There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons. +#ControllerUidLabel: "batch.kubernetes.io/controller-uid" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which are counted towards the backoff limit. +#JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which don't count towards the backoff limit, according to the +// pod failure policy. When the annotation is absent zero is implied. +#JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count" + +// Job represents the configuration of a single job. +#Job: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #JobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// JobList is a collection of jobs. +#JobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Jobs. + items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep) +} + +// CompletionMode specifies how Pod completions of a Job are tracked. +// +enum +#CompletionMode: string // #enumCompletionMode + +#enumCompletionMode: + #NonIndexedCompletion | + #IndexedCompletion + +// NonIndexedCompletion is a Job completion mode. In this mode, the Job is +// considered complete when there have been .spec.completions +// successfully completed Pods. Pod completions are homologous to each other. +#NonIndexedCompletion: #CompletionMode & "NonIndexed" + +// IndexedCompletion is a Job completion mode. In this mode, the Pods of a +// Job get an associated completion index from 0 to (.spec.completions - 1). +// The Job is considered complete when a Pod completes for each completion +// index. +#IndexedCompletion: #CompletionMode & "Indexed" + +// PodFailurePolicyAction specifies how a Pod failure is handled. +// +enum +#PodFailurePolicyAction: string // #enumPodFailurePolicyAction + +#enumPodFailurePolicyAction: + #PodFailurePolicyActionFailJob | + #PodFailurePolicyActionFailIndex | + #PodFailurePolicyActionIgnore | + #PodFailurePolicyActionCount + +// This is an action which might be taken on a pod failure - mark the +// pod's job as Failed and terminate all running pods. +#PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob" + +// This is an action which might be taken on a pod failure - mark the +// Job's index as failed to avoid restarts within this index. This action +// can only be used when backoffLimitPerIndex is set. +#PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex" + +// This is an action which might be taken on a pod failure - the counter towards +// .backoffLimit, represented by the job's .status.failed field, is not +// incremented and a replacement pod is created. +#PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore" + +// This is an action which might be taken on a pod failure - the pod failure +// is handled in the default way - the counter towards .backoffLimit, +// represented by the job's .status.failed field, is incremented. +#PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count" + +// +enum +#PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator + +#enumPodFailurePolicyOnExitCodesOperator: + #PodFailurePolicyOnExitCodesOpIn | + #PodFailurePolicyOnExitCodesOpNotIn + +#PodFailurePolicyOnExitCodesOpIn: #PodFailurePolicyOnExitCodesOperator & "In" +#PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn" + +// PodReplacementPolicy specifies the policy for creating pod replacements. +// +enum +#PodReplacementPolicy: string // #enumPodReplacementPolicy + +#enumPodReplacementPolicy: + #TerminatingOrFailed | + #Failed + +// TerminatingOrFailed means that we recreate pods +// when they are terminating (has a metadata.deletionTimestamp) or failed. +#TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed" + +// Failed means to wait until a previously created Pod is fully terminated (has phase +// Failed or Succeeded) before creating a replacement Pod. +#Failed: #PodReplacementPolicy & "Failed" + +// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling +// a failed pod based on its container exit codes. In particular, it lookups the +// .state.terminated.exitCode for each app container and init container status, +// represented by the .status.containerStatuses and .status.initContainerStatuses +// fields in the Pod status, respectively. Containers completed with success +// (exit code 0) are excluded from the requirement check. +#PodFailurePolicyOnExitCodesRequirement: { + // Restricts the check for exit codes to the container with the + // specified name. When null, the rule applies to all containers. + // When specified, it should match one the container or initContainer + // names in the pod template. + // +optional + containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt) + + // Represents the relationship between the container exit code(s) and the + // specified values. Containers completed with success (exit code 0) are + // excluded from the requirement check. Possible values are: + // + // - In: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is in the set of specified values. + // - NotIn: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is not in the set of specified values. + // Additional values are considered to be added in the future. Clients should + // react to an unknown operator by assuming the requirement is not satisfied. + operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req) + + // Specifies the set of values. Each returned container exit code (might be + // multiple in case of multiple containers) is checked against this set of + // values with respect to the operator. The list of values must be ordered + // and must not contain duplicates. Value '0' cannot be used for the In operator. + // At least one element is required. At most 255 elements are allowed. + // +listType=set + values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep) +} + +// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching +// an actual pod condition type. +#PodFailurePolicyOnPodConditionsPattern: { + // Specifies the required Pod condition type. To match a pod condition + // it is required that specified type equals the pod condition type. + type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req) + + // Specifies the required Pod condition status. To match a pod condition + // it is required that the specified status equals the pod condition status. + // Defaults to True. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req) +} + +// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. +// One of onExitCodes and onPodConditions, but not both, can be used in each rule. +#PodFailurePolicyRule: { + // Specifies the action taken on a pod failure when the requirements are satisfied. + // Possible values are: + // + // - FailJob: indicates that the pod's job is marked as Failed and all + // running pods are terminated. + // - FailIndex: indicates that the pod's index is marked as Failed and will + // not be restarted. + // This value is alpha-level. It can be used when the + // `JobBackoffLimitPerIndex` feature gate is enabled (disabled by default). + // - Ignore: indicates that the counter towards the .backoffLimit is not + // incremented and a replacement pod is created. + // - Count: indicates that the pod is handled in the default way - the + // counter towards the .backoffLimit is incremented. + // Additional values are considered to be added in the future. Clients should + // react to an unknown action by skipping the rule. + action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req) + + // Represents the requirement on the container exit codes. + // +optional + onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt) + + // Represents the requirement on the pod conditions. The requirement is represented + // as a list of pod condition patterns. The requirement is satisfied if at + // least one pattern matches an actual pod condition. At most 20 elements are allowed. + // +listType=atomic + // +optional + onPodConditions: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt) +} + +// PodFailurePolicy describes how failed pods influence the backoffLimit. +#PodFailurePolicy: { + // A list of pod failure policy rules. The rules are evaluated in order. + // Once a rule matches a Pod failure, the remaining of the rules are ignored. + // When no rule matches the Pod failure, the default handling applies - the + // counter of pod failures is incremented and it is checked against + // the backoffLimit. At most 20 elements are allowed. + // +listType=atomic + rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt) +} + +// JobSpec describes how the job execution will look like. +#JobSpec: { + // Specifies the maximum desired number of pods the job should + // run at any given time. The actual number of pods running in steady state will + // be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), + // i.e. when the work left to do is less than max parallelism. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt) + + // Specifies the desired number of successfully finished pods the + // job should be run with. Setting to null means that the success of any + // pod signals the success of all pods, and allows parallelism to have any positive + // value. Setting to 1 means that parallelism is limited to 1 and the success of that + // pod signals the success of the job. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt) + + // Specifies the duration in seconds relative to the startTime that the job + // may be continuously active before the system tries to terminate it; value + // must be positive integer. If a Job is suspended (at creation or through an + // update), this timer will effectively be stopped and reset when the Job is + // resumed again. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt) + + // Specifies the policy of handling failed pods. In particular, it allows to + // specify the set of actions and conditions which need to be + // satisfied to take the associated action. + // If empty, the default behaviour applies - the counter of failed pods, + // represented by the jobs's .status.failed field, is incremented and it is + // checked against the backoffLimit. This field cannot be used in combination + // with restartPolicy=OnFailure. + // + // This field is beta-level. It can be used when the `JobPodFailurePolicy` + // feature gate is enabled (enabled by default). + // +optional + podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt) + + // Specifies the number of retries before marking this job failed. + // Defaults to 6 + // +optional + backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt) + + // Specifies the limit for the number of retries within an + // index before marking this index as failed. When enabled the number of + // failures per index is kept in the pod's + // batch.kubernetes.io/job-index-failure-count annotation. It can only + // be set when Job's completionMode=Indexed, and the Pod's restart + // policy is Never. The field is immutable. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt) + + // Specifies the maximal number of failed indexes before marking the Job as + // failed, when backoffLimitPerIndex is set. Once the number of failed + // indexes exceeds this number the entire Job is marked as Failed and its + // execution is terminated. When left as null the job continues execution of + // all of its indexes and is marked with the `Complete` Job condition. + // It can only be specified when backoffLimitPerIndex is set. + // It can be null or up to completions. It is required and must be + // less than or equal to 10^4 when is completions greater than 10^5. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt) + + // A label query over pods that should match the pod count. + // Normally, the system sets this field for you. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // manualSelector controls generation of pod labels and pod selectors. + // Leave `manualSelector` unset unless you are certain what you are doing. + // When false or unset, the system pick labels unique to this job + // and appends those labels to the pod template. When true, + // the user is responsible for picking unique labels and specifying + // the selector. Failure to pick a unique label may cause this + // and other jobs to not function correctly. However, You may see + // `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` + // API. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector + // +optional + manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt) + + // Describes the pod that will be created when executing a job. + // The only allowed template.spec.restartPolicy values are "Never" or "OnFailure". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt) + + // ttlSecondsAfterFinished limits the lifetime of a Job that has finished + // execution (either Complete or Failed). If this field is set, + // ttlSecondsAfterFinished after the Job finishes, it is eligible to be + // automatically deleted. When the Job is being deleted, its lifecycle + // guarantees (e.g. finalizers) will be honored. If this field is unset, + // the Job won't be automatically deleted. If this field is set to zero, + // the Job becomes eligible to be deleted immediately after it finishes. + // +optional + ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt) + + // completionMode specifies how Pod completions are tracked. It can be + // `NonIndexed` (default) or `Indexed`. + // + // `NonIndexed` means that the Job is considered complete when there have + // been .spec.completions successfully completed Pods. Each Pod completion is + // homologous to each other. + // + // `Indexed` means that the Pods of a + // Job get an associated completion index from 0 to (.spec.completions - 1), + // available in the annotation batch.kubernetes.io/job-completion-index. + // The Job is considered complete when there is one successfully completed Pod + // for each index. + // When value is `Indexed`, .spec.completions must be specified and + // `.spec.parallelism` must be less than or equal to 10^5. + // In addition, The Pod name takes the form + // `$(job-name)-$(index)-$(random-string)`, + // the Pod hostname takes the form `$(job-name)-$(index)`. + // + // More completion modes can be added in the future. + // If the Job controller observes a mode that it doesn't recognize, which + // is possible during upgrades due to version skew, the controller + // skips updates for the Job. + // +optional + completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode) + + // suspend specifies whether the Job controller should create Pods or not. If + // a Job is created with suspend set to true, no Pods are created by the Job + // controller. If a Job is suspended after creation (i.e. the flag goes from + // false to true), the Job controller will delete all active Pods associated + // with this Job. Users must design their workload to gracefully handle this. + // Suspending a Job will reset the StartTime field of the Job, effectively + // resetting the ActiveDeadlineSeconds timer too. Defaults to false. + // + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt) + + // podReplacementPolicy specifies when to create replacement Pods. + // Possible values are: + // - TerminatingOrFailed means that we recreate pods + // when they are terminating (has a metadata.deletionTimestamp) or failed. + // - Failed means to wait until a previously created Pod is fully terminated (has phase + // Failed or Succeeded) before creating a replacement Pod. + // + // When using podFailurePolicy, Failed is the the only allowed value. + // TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. + // This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field. + // +optional + podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy) +} + +// JobStatus represents the current state of a Job. +#JobStatus: { + // The latest available observations of an object's current state. When a Job + // fails, one of the conditions will have type "Failed" and status true. When + // a Job is suspended, one of the conditions will have type "Suspended" and + // status true; when the Job is resumed, the status of this condition will + // become false. When a Job is completed, one of the conditions will have + // type "Complete" and status true. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=atomic + conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep) + + // Represents time when the job controller started processing a job. When a + // Job is created in the suspended state, this field is not set until the + // first time it is resumed. This field is reset every time a Job is resumed + // from suspension. It is represented in RFC3339 form and is in UTC. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt) + + // Represents time when the job was completed. It is not guaranteed to + // be set in happens-before order across separate operations. + // It is represented in RFC3339 form and is in UTC. + // The completion time is only set when the job finishes successfully. + // +optional + completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt) + + // The number of pending and running pods. + // +optional + active?: int32 @go(Active) @protobuf(4,varint,opt) + + // The number of pods which reached phase Succeeded. + // +optional + succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt) + + // The number of pods which reached phase Failed. + // +optional + failed?: int32 @go(Failed) @protobuf(6,varint,opt) + + // The number of pods which are terminating (in phase Pending or Running + // and have a deletionTimestamp). + // + // This field is alpha-level. The job controller populates the field when + // the feature gate JobPodReplacementPolicy is enabled (disabled by default). + // +optional + terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt) + + // completedIndexes holds the completed indexes when .spec.completionMode = + // "Indexed" in a text format. The indexes are represented as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the completed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // +optional + completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt) + + // FailedIndexes holds the failed indexes when backoffLimitPerIndex=true. + // The indexes are represented in the text format analogous as for the + // `completedIndexes` field, ie. they are kept as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the failed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt) + + // uncountedTerminatedPods holds the UIDs of Pods that have terminated but + // the job controller hasn't yet accounted for in the status counters. + // + // The job controller creates pods with a finalizer. When a pod terminates + // (succeeded or failed), the controller does three steps to account for it + // in the job status: + // + // 1. Add the pod UID to the arrays in this field. + // 2. Remove the pod finalizer. + // 3. Remove the pod UID from the arrays while increasing the corresponding + // counter. + // + // Old jobs might not be tracked using this field, in which case the field + // remains null. + // +optional + uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt) + + // The number of pods which have a Ready condition. + // + // This field is beta-level. The job controller populates the field when + // the feature gate JobReadyPods is enabled (enabled by default). + // +optional + ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt) +} + +// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't +// been accounted in Job status counters. +#UncountedTerminatedPods: { + // succeeded holds UIDs of succeeded Pods. + // +listType=set + // +optional + succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) + + // failed holds UIDs of failed Pods. + // +listType=set + // +optional + failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +#JobConditionType: string // #enumJobConditionType + +#enumJobConditionType: + #JobSuspended | + #JobComplete | + #JobFailed | + #JobFailureTarget + +// JobSuspended means the job has been suspended. +#JobSuspended: #JobConditionType & "Suspended" + +// JobComplete means the job has completed its execution. +#JobComplete: #JobConditionType & "Complete" + +// JobFailed means the job has failed its execution. +#JobFailed: #JobConditionType & "Failed" + +// FailureTarget means the job is about to fail its execution. +#JobFailureTarget: #JobConditionType & "FailureTarget" + +// JobCondition describes current state of a job. +#JobCondition: { + // Type of job condition, Complete or Failed. + type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType) + + // Status of the condition, one of True, False, Unknown. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition was checked. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// JobTemplateSpec describes the data a Job should have when created from a template +#JobTemplateSpec: { + // Standard object's metadata of the jobs created from this template. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CronJob represents the configuration of a single cron job. +#CronJob: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a cron job, including the schedule. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a cron job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CronJobList is a collection of cron jobs. +#CronJobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CronJobs. + items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep) +} + +// CronJobSpec describes how the job execution will look like and when it will actually run. +#CronJobSpec: { + // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. + schedule: string @go(Schedule) @protobuf(1,bytes,opt) + + // The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. + // If not specified, this will default to the time zone of the kube-controller-manager process. + // The set of valid time zone names and the time zone offset is loaded from the system-wide time zone + // database by the API server during CronJob validation and the controller manager during execution. + // If no system-wide time zone database can be found a bundled version of the database is used instead. + // If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host + // configuration, the controller will stop creating new new Jobs and will create a system event with the + // reason UnknownTimeZone. + // More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones + // +optional + timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt) + + // Optional deadline in seconds for starting the job if it misses scheduled + // time for any reason. Missed jobs executions will be counted as failed ones. + // +optional + startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt) + + // Specifies how to treat concurrent executions of a Job. + // Valid values are: + // + // - "Allow" (default): allows CronJobs to run concurrently; + // - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; + // - "Replace": cancels currently running job and replaces it with a new one + // +optional + concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy) + + // This flag tells the controller to suspend subsequent executions, it does + // not apply to already started executions. Defaults to false. + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt) + + // Specifies the job that will be created when executing a CronJob. + jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt) + + // The number of successful finished jobs to retain. Value must be non-negative integer. + // Defaults to 3. + // +optional + successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt) + + // The number of failed finished jobs to retain. Value must be non-negative integer. + // Defaults to 1. + // +optional + failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt) +} + +// ConcurrencyPolicy describes how the job will be handled. +// Only one of the following concurrent policies may be specified. +// If none of the following policies is specified, the default one +// is AllowConcurrent. +// +enum +#ConcurrencyPolicy: string // #enumConcurrencyPolicy + +#enumConcurrencyPolicy: + #AllowConcurrent | + #ForbidConcurrent | + #ReplaceConcurrent + +// AllowConcurrent allows CronJobs to run concurrently. +#AllowConcurrent: #ConcurrencyPolicy & "Allow" + +// ForbidConcurrent forbids concurrent runs, skipping next run if previous +// hasn't finished yet. +#ForbidConcurrent: #ConcurrencyPolicy & "Forbid" + +// ReplaceConcurrent cancels currently running job and replaces it with a new one. +#ReplaceConcurrent: #ConcurrencyPolicy & "Replace" + +// CronJobStatus represents the current state of a cron job. +#CronJobStatus: { + // A list of pointers to currently running jobs. + // +optional + // +listType=atomic + active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep) + + // Information when was the last time the job was successfully scheduled. + // +optional + lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt) + + // Information when was the last time the job successfully completed. + // +optional + lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt) +} diff --git a/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue new file mode 100644 index 0000000..f2ce343 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +#GroupName: "certificates.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue new file mode 100644 index 0000000..401ca5c --- /dev/null +++ b/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue @@ -0,0 +1,318 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates +// by submitting a certificate signing request, and having it asynchronously approved and issued. +// +// Kubelets use this API to obtain: +// 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). +// 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). +// +// This API can be used to request client certificates to authenticate to kube-apiserver +// (with the "kubernetes.io/kube-apiserver-client" signerName), +// or to obtain certificates from custom non-Kubernetes signers. +#CertificateSigningRequest: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the certificate request, and is immutable after creation. + // Only the request, signerName, expirationSeconds, and usages fields can be set on creation. + // Other fields are derived by Kubernetes and cannot be modified by users. + spec: #CertificateSigningRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // status contains information about whether the request is approved or denied, + // and the certificate issued by the signer, or the failure condition indicating signer failure. + // +optional + status?: #CertificateSigningRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CertificateSigningRequestSpec contains the certificate request. +#CertificateSigningRequestSpec: { + // request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. + // When serialized as JSON or YAML, the data is additionally base64-encoded. + // +listType=atomic + request: bytes @go(Request,[]byte) @protobuf(1,bytes,opt) + + // signerName indicates the requested signer, and is a qualified name. + // + // List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. + // + // Well-known Kubernetes signers are: + // 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. + // Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. + // 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. + // Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. + // Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // + // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers + // + // Custom signerNames can also be specified. The signer defines: + // 1. Trust distribution: how trust (CA bundles) are distributed. + // 2. Permitted subjects: and behavior when a disallowed subject is requested. + // 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. + // 4. Required, permitted, or forbidden key usages / extended key usages. + // 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. + // 6. Whether or not requests for CA certificates are allowed. + signerName: string @go(SignerName) @protobuf(7,bytes,opt) + + // expirationSeconds is the requested duration of validity of the issued + // certificate. The certificate signer may issue a certificate with a different + // validity duration so a client must check the delta between the notBefore and + // and notAfter fields in the issued certificate to determine the actual duration. + // + // The v1.22+ in-tree implementations of the well-known Kubernetes signers will + // honor this field as long as the requested duration is not greater than the + // maximum duration they will honor per the --cluster-signing-duration CLI + // flag to the Kubernetes controller manager. + // + // Certificate signers may not honor this field for various reasons: + // + // 1. Old signer that is unaware of the field (such as the in-tree + // implementations prior to v1.22) + // 2. Signer whose configured maximum is shorter than the requested duration + // 3. Signer whose configured minimum is longer than the requested duration + // + // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes. + // + // +optional + expirationSeconds?: null | int32 @go(ExpirationSeconds,*int32) @protobuf(8,varint,opt) + + // usages specifies a set of key usages requested in the issued certificate. + // + // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". + // + // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth". + // + // Valid values are: + // "signing", "digital signature", "content commitment", + // "key encipherment", "key agreement", "data encipherment", + // "cert sign", "crl sign", "encipher only", "decipher only", "any", + // "server auth", "client auth", + // "code signing", "email protection", "s/mime", + // "ipsec end system", "ipsec tunnel", "ipsec user", + // "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" + // +listType=atomic + usages?: [...#KeyUsage] @go(Usages,[]KeyUsage) @protobuf(5,bytes,opt) + + // username contains the name of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + username?: string @go(Username) @protobuf(2,bytes,opt) + + // uid contains the uid of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + uid?: string @go(UID) @protobuf(3,bytes,opt) + + // groups contains group membership of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +listType=atomic + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // extra contains extra attributes of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(6,bytes,rep) +} + +// "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientSignerName: "kubernetes.io/kube-apiserver-client" + +// "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver. +// Can be auto-approved by the "csrapproving" controller in kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientKubeletSignerName: "kubernetes.io/kube-apiserver-client-kubelet" + +// "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, +// which kube-apiserver can connect to securely. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeletServingSignerName: "kubernetes.io/kubelet-serving" + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// CertificateSigningRequestStatus contains conditions used to indicate +// approved/denied/failed status of the request, and the issued certificate. +#CertificateSigningRequestStatus: { + // conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed". + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#CertificateSigningRequestCondition] @go(Conditions,[]CertificateSigningRequestCondition) @protobuf(1,bytes,rep) + + // certificate is populated with an issued certificate by the signer after an Approved condition is present. + // This field is set via the /status subresource. Once populated, this field is immutable. + // + // If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. + // If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty. + // + // Validation requirements: + // 1. certificate must contain one or more PEM blocks. + // 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data + // must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280. + // 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated, + // to allow for explanatory text as described in section 5.2 of RFC7468. + // + // If more than one PEM block is present, and the definition of the requested spec.signerName + // does not indicate otherwise, the first block is the issued certificate, + // and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes. + // + // The certificate is encoded in PEM format. + // + // When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of: + // + // base64( + // -----BEGIN CERTIFICATE----- + // ... + // -----END CERTIFICATE----- + // ) + // + // +listType=atomic + // +optional + certificate?: bytes @go(Certificate,[]byte) @protobuf(2,bytes,opt) +} + +// RequestConditionType is the type of a CertificateSigningRequestCondition +#RequestConditionType: string // #enumRequestConditionType + +#enumRequestConditionType: + #CertificateApproved | + #CertificateDenied | + #CertificateFailed + +// Approved indicates the request was approved and should be issued by the signer. +#CertificateApproved: #RequestConditionType & "Approved" + +// Denied indicates the request was denied and should not be issued by the signer. +#CertificateDenied: #RequestConditionType & "Denied" + +// Failed indicates the signer failed to issue the certificate. +#CertificateFailed: #RequestConditionType & "Failed" + +// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object +#CertificateSigningRequestCondition: { + // type of the condition. Known conditions are "Approved", "Denied", and "Failed". + // + // An "Approved" condition is added via the /approval subresource, + // indicating the request was approved and should be issued by the signer. + // + // A "Denied" condition is added via the /approval subresource, + // indicating the request was denied and should not be issued by the signer. + // + // A "Failed" condition is added via the /status subresource, + // indicating the signer failed to issue the certificate. + // + // Approved and Denied conditions are mutually exclusive. + // Approved, Denied, and Failed conditions cannot be removed once added. + // + // Only one condition of a given type is allowed. + type: #RequestConditionType @go(Type) @protobuf(1,bytes,opt,casttype=RequestConditionType) + + // status of the condition, one of True, False, Unknown. + // Approved, Denied, and Failed conditions may not be "False" or "Unknown". + status: v1.#ConditionStatus @go(Status) @protobuf(6,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // reason indicates a brief reason for the request state + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // message contains a human readable message with details about the request state + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // lastUpdateTime is the time of the last update to this condition + // +optional + lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(4,bytes,opt) + + // lastTransitionTime is the time the condition last transitioned from one status to another. + // If unset, when a new condition type is added or an existing condition's status is changed, + // the server defaults this to the current time. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(5,bytes,opt) +} + +// CertificateSigningRequestList is a collection of CertificateSigningRequest objects +#CertificateSigningRequestList: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a collection of CertificateSigningRequest objects + items: [...#CertificateSigningRequest] @go(Items,[]CertificateSigningRequest) @protobuf(2,bytes,rep) +} + +// KeyUsage specifies valid usage contexts for keys. +// See: +// +// https://tools.ietf.org/html/rfc5280#section-4.2.1.3 +// https://tools.ietf.org/html/rfc5280#section-4.2.1.12 +// +// +enum +#KeyUsage: string // #enumKeyUsage + +#enumKeyUsage: + #UsageSigning | + #UsageDigitalSignature | + #UsageContentCommitment | + #UsageKeyEncipherment | + #UsageKeyAgreement | + #UsageDataEncipherment | + #UsageCertSign | + #UsageCRLSign | + #UsageEncipherOnly | + #UsageDecipherOnly | + #UsageAny | + #UsageServerAuth | + #UsageClientAuth | + #UsageCodeSigning | + #UsageEmailProtection | + #UsageSMIME | + #UsageIPsecEndSystem | + #UsageIPsecTunnel | + #UsageIPsecUser | + #UsageTimestamping | + #UsageOCSPSigning | + #UsageMicrosoftSGC | + #UsageNetscapeSGC + +#UsageSigning: #KeyUsage & "signing" +#UsageDigitalSignature: #KeyUsage & "digital signature" +#UsageContentCommitment: #KeyUsage & "content commitment" +#UsageKeyEncipherment: #KeyUsage & "key encipherment" +#UsageKeyAgreement: #KeyUsage & "key agreement" +#UsageDataEncipherment: #KeyUsage & "data encipherment" +#UsageCertSign: #KeyUsage & "cert sign" +#UsageCRLSign: #KeyUsage & "crl sign" +#UsageEncipherOnly: #KeyUsage & "encipher only" +#UsageDecipherOnly: #KeyUsage & "decipher only" +#UsageAny: #KeyUsage & "any" +#UsageServerAuth: #KeyUsage & "server auth" +#UsageClientAuth: #KeyUsage & "client auth" +#UsageCodeSigning: #KeyUsage & "code signing" +#UsageEmailProtection: #KeyUsage & "email protection" +#UsageSMIME: #KeyUsage & "s/mime" +#UsageIPsecEndSystem: #KeyUsage & "ipsec end system" +#UsageIPsecTunnel: #KeyUsage & "ipsec tunnel" +#UsageIPsecUser: #KeyUsage & "ipsec user" +#UsageTimestamping: #KeyUsage & "timestamping" +#UsageOCSPSigning: #KeyUsage & "ocsp signing" +#UsageMicrosoftSGC: #KeyUsage & "microsoft sgc" +#UsageNetscapeSGC: #KeyUsage & "netscape sgc" diff --git a/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue new file mode 100644 index 0000000..d0a257d --- /dev/null +++ b/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +#GroupName: "coordination.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue new file mode 100644 index 0000000..de2c741 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue @@ -0,0 +1,61 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Lease defines a lease concept. +#Lease: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the specification of the Lease. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LeaseSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LeaseSpec is a specification of a Lease. +#LeaseSpec: { + // holderIdentity contains the identity of the holder of a current lease. + // +optional + holderIdentity?: null | string @go(HolderIdentity,*string) @protobuf(1,bytes,opt) + + // leaseDurationSeconds is a duration that candidates for a lease need + // to wait to force acquire it. This is measure against time of last + // observed renewTime. + // +optional + leaseDurationSeconds?: null | int32 @go(LeaseDurationSeconds,*int32) @protobuf(2,varint,opt) + + // acquireTime is a time when the current lease was acquired. + // +optional + acquireTime?: null | metav1.#MicroTime @go(AcquireTime,*metav1.MicroTime) @protobuf(3,bytes,opt) + + // renewTime is a time when the current holder of a lease has last + // updated the lease. + // +optional + renewTime?: null | metav1.#MicroTime @go(RenewTime,*metav1.MicroTime) @protobuf(4,bytes,opt) + + // leaseTransitions is the number of transitions of a lease between + // holders. + // +optional + leaseTransitions?: null | int32 @go(LeaseTransitions,*int32) @protobuf(5,varint,opt) +} + +// LeaseList is a list of Lease objects. +#LeaseList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Lease] @go(Items,[]Lease) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue new file mode 100644 index 0000000..19a7d63 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +#GroupName: "discovery.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue new file mode 100644 index 0000000..144ef53 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// EndpointSlice represents a subset of the endpoints that implement a service. +// For a given service there may be multiple EndpointSlice objects, selected by +// labels, which must be joined to produce the full set of endpoints. +#EndpointSlice: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // addressType specifies the type of address carried by this EndpointSlice. + // All addresses in this slice must be the same type. This field is + // immutable after creation. The following address types are currently + // supported: + // * IPv4: Represents an IPv4 Address. + // * IPv6: Represents an IPv6 Address. + // * FQDN: Represents a Fully Qualified Domain Name. + addressType: #AddressType @go(AddressType) @protobuf(4,bytes,rep) + + // endpoints is a list of unique endpoints in this slice. Each slice may + // include a maximum of 1000 endpoints. + // +listType=atomic + endpoints: [...#Endpoint] @go(Endpoints,[]Endpoint) @protobuf(2,bytes,rep) + + // ports specifies the list of network ports exposed by each endpoint in + // this slice. Each port must have a unique name. When ports is empty, it + // indicates that there are no defined ports. When a port is defined with a + // nil port value, it indicates "all ports". Each slice may include a + // maximum of 100 ports. + // +optional + // +listType=atomic + ports: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// AddressType represents the type of address referred to by an endpoint. +// +enum +#AddressType: string // #enumAddressType + +#enumAddressType: + #AddressTypeIPv4 | + #AddressTypeIPv6 | + #AddressTypeFQDN + +// AddressTypeIPv4 represents an IPv4 Address. +#AddressTypeIPv4: #AddressType & "IPv4" + +// AddressTypeIPv6 represents an IPv6 Address. +#AddressTypeIPv6: #AddressType & "IPv6" + +// AddressTypeFQDN represents a FQDN. +#AddressTypeFQDN: #AddressType & "FQDN" + +// Endpoint represents a single logical "backend" implementing a service. +#Endpoint: { + // addresses of this endpoint. The contents of this field are interpreted + // according to the corresponding EndpointSlice addressType field. Consumers + // must handle different types of addresses in the context of their own + // capabilities. This must contain at least one address but no more than + // 100. These are all assumed to be fungible and clients may choose to only + // use the first element. Refer to: https://issue.k8s.io/106267 + // +listType=set + addresses: [...string] @go(Addresses,[]string) @protobuf(1,bytes,rep) + + // conditions contains information about the current status of the endpoint. + conditions?: #EndpointConditions @go(Conditions) @protobuf(2,bytes,opt) + + // hostname of this endpoint. This field may be used by consumers of + // endpoints to distinguish endpoints from each other (e.g. in DNS names). + // Multiple endpoints which use the same hostname should be considered + // fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS + // Label (RFC 1123) validation. + // +optional + hostname?: null | string @go(Hostname,*string) @protobuf(3,bytes,opt) + + // targetRef is a reference to a Kubernetes object that represents this + // endpoint. + // +optional + targetRef?: null | v1.#ObjectReference @go(TargetRef,*v1.ObjectReference) @protobuf(4,bytes,opt) + + // deprecatedTopology contains topology information part of the v1beta1 + // API. This field is deprecated, and will be removed when the v1beta1 + // API is removed (no sooner than kubernetes v1.24). While this field can + // hold values, it is not writable through the v1 API, and any attempts to + // write to it will be silently ignored. Topology information can be found + // in the zone and nodeName fields instead. + // +optional + deprecatedTopology?: {[string]: string} @go(DeprecatedTopology,map[string]string) @protobuf(5,bytes,opt) + + // nodeName represents the name of the Node hosting this endpoint. This can + // be used to determine endpoints local to a Node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(6,bytes,opt) + + // zone is the name of the Zone this endpoint exists in. + // +optional + zone?: null | string @go(Zone,*string) @protobuf(7,bytes,opt) + + // hints contains information associated with how an endpoint should be + // consumed. + // +optional + hints?: null | #EndpointHints @go(Hints,*EndpointHints) @protobuf(8,bytes,opt) +} + +// EndpointConditions represents the current condition of an endpoint. +#EndpointConditions: { + // ready indicates that this endpoint is prepared to receive traffic, + // according to whatever system is managing the endpoint. A nil value + // indicates an unknown state. In most cases consumers should interpret this + // unknown state as ready. For compatibility reasons, ready should never be + // "true" for terminating endpoints, except when the normal readiness + // behavior is being explicitly overridden, for example when the associated + // Service has set the publishNotReadyAddresses flag. + // +optional + ready?: null | bool @go(Ready,*bool) @protobuf(1,bytes) + + // serving is identical to ready except that it is set regardless of the + // terminating state of endpoints. This condition should be set to true for + // a ready endpoint that is terminating. If nil, consumers should defer to + // the ready condition. + // +optional + serving?: null | bool @go(Serving,*bool) @protobuf(2,bytes) + + // terminating indicates that this endpoint is terminating. A nil value + // indicates an unknown state. Consumers should interpret this unknown state + // to mean that the endpoint is not terminating. + // +optional + terminating?: null | bool @go(Terminating,*bool) @protobuf(3,bytes) +} + +// EndpointHints provides hints describing how an endpoint should be consumed. +#EndpointHints: { + // forZones indicates the zone(s) this endpoint should be consumed by to + // enable topology aware routing. + // +listType=atomic + forZones?: [...#ForZone] @go(ForZones,[]ForZone) @protobuf(1,bytes) +} + +// ForZone provides information about which zones should consume this endpoint. +#ForZone: { + // name represents the name of the zone. + name: string @go(Name) @protobuf(1,bytes) +} + +// EndpointPort represents a Port used by an EndpointSlice +// +structType=atomic +#EndpointPort: { + // name represents the name of this port. All ports in an EndpointSlice must have a unique name. + // If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. + // Name must either be an empty string or pass DNS_LABEL validation: + // * must be no more than 63 characters long. + // * must consist of lower case alphanumeric characters or '-'. + // * must start and end with an alphanumeric character. + // Default is empty string. + name?: null | string @go(Name,*string) @protobuf(1,bytes) + + // protocol represents the IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(2,bytes) + + // port represents the port number of the endpoint. + // If this is not specified, ports are not restricted and must be + // interpreted in the context of the specific consumer. + port?: null | int32 @go(Port,*int32) @protobuf(3,bytes,opt) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes) +} + +// EndpointSliceList represents a list of endpoint slices +#EndpointSliceList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of endpoint slices + items: [...#EndpointSlice] @go(Items,[]EndpointSlice) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue b/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue new file mode 100644 index 0000000..9c40d30 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue @@ -0,0 +1,20 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +// LabelServiceName is used to indicate the name of a Kubernetes service. +#LabelServiceName: "kubernetes.io/service-name" + +// LabelManagedBy is used to indicate the controller or entity that manages +// an EndpointSlice. This label aims to enable different EndpointSlice +// objects to be managed by different controllers or entities within the +// same cluster. It is highly recommended to configure this label for all +// EndpointSlices. +#LabelManagedBy: "endpointslice.kubernetes.io/managed-by" + +// LabelSkipMirror can be set to true on an Endpoints resource to indicate +// that the EndpointSliceMirroring controller should not mirror this +// resource with EndpointSlices. +#LabelSkipMirror: "endpointslice.kubernetes.io/skip-mirror" diff --git a/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue new file mode 100644 index 0000000..c4138c1 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +#GroupName: "events.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue new file mode 100644 index 0000000..47acc8f --- /dev/null +++ b/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue @@ -0,0 +1,111 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. +// Events have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // eventTime is the time when this Event was first observed. It is required. + eventTime: metav1.#MicroTime @go(EventTime) @protobuf(2,bytes,opt) + + // series is data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(3,bytes,opt) + + // reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // This field cannot be empty for new Events. + reportingController?: string @go(ReportingController) @protobuf(4,bytes,opt) + + // reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. + // This field cannot be empty for new Events and it can have at most 128 characters. + reportingInstance?: string @go(ReportingInstance) @protobuf(5,bytes,opt) + + // action is what action was taken/failed regarding to the regarding object. It is machine-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + action?: string @go(Action) @protobuf(6,bytes) + + // reason is why the action was taken. It is human-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + reason?: string @go(Reason) @protobuf(7,bytes) + + // regarding contains the object this Event is about. In most cases it's an Object reporting controller + // implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because + // it acts on some changes in a ReplicaSet object. + // +optional + regarding?: corev1.#ObjectReference @go(Regarding) @protobuf(8,bytes,opt) + + // related is the optional secondary object for more complex actions. E.g. when regarding object triggers + // a creation or deletion of related object. + // +optional + related?: null | corev1.#ObjectReference @go(Related,*corev1.ObjectReference) @protobuf(9,bytes,opt) + + // note is a human-readable description of the status of this operation. + // Maximal length of the note is 1kB, but libraries should be prepared to + // handle values up to 64kB. + // +optional + note?: string @go(Note) @protobuf(10,bytes,opt) + + // type is the type of this event (Normal, Warning), new types could be added in the future. + // It is machine-readable. + // This field cannot be empty for new Events. + type?: string @go(Type) @protobuf(11,bytes,opt) + + // deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedSource?: corev1.#EventSource @go(DeprecatedSource) @protobuf(12,bytes,opt) + + // deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedFirstTimestamp?: metav1.#Time @go(DeprecatedFirstTimestamp) @protobuf(13,bytes,opt) + + // deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedLastTimestamp?: metav1.#Time @go(DeprecatedLastTimestamp) @protobuf(14,bytes,opt) + + // deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedCount?: int32 @go(DeprecatedCount) @protobuf(15,varint,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. How often to update the EventSeries is up to the event reporters. +// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows +// how this struct is updated on heartbeats and can guide customized reporter implementations. +#EventSeries: { + // count is the number of occurrences in this series up to the last heartbeat time. + count: int32 @go(Count) @protobuf(1,varint,opt) + + // lastObservedTime is the time when last Event from the series was seen before last heartbeat. + lastObservedTime: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes,opt) +} + +// EventList is a list of Event objects. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue new file mode 100644 index 0000000..f104262 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +#GroupName: "networking.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue new file mode 100644 index 0000000..bbdc7f2 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue @@ -0,0 +1,588 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +// NetworkPolicy describes what network traffic is allowed for a set of Pods +#NetworkPolicy: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the desired behavior for this NetworkPolicy. + // +optional + spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PolicyType string describes the NetworkPolicy type +// This type is beta-level in 1.8 +// +enum +#PolicyType: string // #enumPolicyType + +#enumPolicyType: + #PolicyTypeIngress | + #PolicyTypeEgress + +// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods +#PolicyTypeIngress: #PolicyType & "Ingress" + +// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods +#PolicyTypeEgress: #PolicyType & "Egress" + +// NetworkPolicySpec provides the specification of a NetworkPolicy +#NetworkPolicySpec: { + // podSelector selects the pods to which this NetworkPolicy object applies. + // The array of ingress rules is applied to any pods selected by this field. + // Multiple network policies can select the same set of pods. In this case, + // the ingress rules for each are combined additively. + // This field is NOT optional and follows standard label selector semantics. + // An empty podSelector matches all pods in this namespace. + podSelector: metav1.#LabelSelector @go(PodSelector) @protobuf(1,bytes,opt) + + // ingress is a list of ingress rules to be applied to the selected pods. + // Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod + // (and cluster policy otherwise allows the traffic), OR if the traffic source is + // the pod's local node, OR if the traffic matches at least one ingress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy does not allow any traffic (and serves + // solely to ensure that the pods it selects are isolated by default) + // +optional + ingress?: [...#NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep) + + // egress is a list of egress rules to be applied to the selected pods. Outgoing traffic + // is allowed if there are no NetworkPolicies selecting the pod (and cluster policy + // otherwise allows the traffic), OR if the traffic matches at least one egress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + // solely to ensure that the pods it selects are isolated by default). + // This field is beta-level in 1.8 + // +optional + egress?: [...#NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep) + + // policyTypes is a list of rule types that the NetworkPolicy relates to. + // Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. + // If this field is not specified, it will default based on the existence of ingress or egress rules; + // policies that contain an egress section are assumed to affect egress, and all policies + // (whether or not they contain an ingress section) are assumed to affect ingress. + // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. + // Likewise, if you want to write a policy that specifies that no egress is allowed, + // you must specify a policyTypes value that include "Egress" (since such a policy would not include + // an egress section and would otherwise default to just [ "Ingress" ]). + // This field is beta-level in 1.8 + // +optional + policyTypes?: [...#PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType) +} + +// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. +#NetworkPolicyIngressRule: { + // ports is a list of ports which should be made accessible on the pods selected for + // this rule. Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // from is a list of sources which should be able to access the pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all sources (traffic not restricted by + // source). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the from list. + // +optional + from?: [...#NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. +// This type is beta-level in 1.8 +#NetworkPolicyEgressRule: { + // ports is a list of destination ports for outgoing traffic. + // Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // to is a list of destinations for outgoing traffic of pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all destinations (traffic not restricted by + // destination). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the to list. + // +optional + to?: [...#NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPort describes a port to allow traffic on +#NetworkPolicyPort: { + // protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + // If not specified, this field defaults to TCP. + // +optional + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol) + + // port represents the port on the given protocol. This can either be a numerical or named + // port on a pod. If this field is not provided, this matches all port names and + // numbers. + // If present, only traffic on the specified protocol AND port will be matched. + // +optional + port?: null | intstr.#IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt) + + // endPort indicates that the range of ports from port to endPort if set, inclusive, + // should be allowed by the policy. This field cannot be defined if the port field + // is not defined or if the port field is defined as a named (string) port. + // The endPort must be equal or greater than port. + // +optional + endPort?: null | int32 @go(EndPort,*int32) @protobuf(3,bytes,opt) +} + +// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed +// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs +// that should not be included within this rule. +#IPBlock: { + // cidr is a string representing the IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + cidr: string @go(CIDR) @protobuf(1,bytes) + + // except is a slice of CIDRs that should not be included within an IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + // Except values will be rejected if they are outside the cidr range + // +optional + except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of +// fields are allowed +#NetworkPolicyPeer: { + // podSelector is a label selector which selects pods. This field follows standard label + // selector semantics; if present but empty, it selects all pods. + // + // If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the Namespaces selected by NamespaceSelector. + // Otherwise it selects the pods matching podSelector in the policy's own namespace. + // +optional + podSelector?: null | metav1.#LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaceSelector selects namespaces using cluster-scoped labels. This field follows + // standard label selector semantics; if present but empty, it selects all namespaces. + // + // If podSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the namespaces selected by namespaceSelector. + // Otherwise it selects all pods in the namespaces selected by namespaceSelector. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // ipBlock defines policy on a particular IPBlock. If this field is set then + // neither of the other fields can be. + // +optional + ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep) +} + +// NetworkPolicyList is a list of NetworkPolicy objects. +#NetworkPolicyList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep) +} + +// Ingress is a collection of rules that allow inbound connections to reach the +// endpoints defined by a backend. An Ingress can be configured to give services +// externally-reachable urls, load balance traffic, terminate SSL, offer name +// based virtual hosting etc. +#Ingress: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #IngressStatus @go(Status) @protobuf(3,bytes,opt) +} + +// IngressList is a collection of Ingress. +#IngressList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Ingress. + items: [...#Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep) +} + +// IngressSpec describes the Ingress the user wishes to exist. +#IngressSpec: { + // ingressClassName is the name of an IngressClass cluster resource. Ingress + // controller implementations use this field to know whether they should be + // serving this Ingress resource, by a transitive connection + // (controller -> IngressClass -> Ingress resource). Although the + // `kubernetes.io/ingress.class` annotation (simple constant name) was never + // formally defined, it was widely supported by Ingress controllers to create + // a direct binding between Ingress controller and Ingress resources. Newly + // created Ingress resources should prefer using the field. However, even + // though the annotation is officially deprecated, for backwards compatibility + // reasons, ingress controllers should still honor that annotation if present. + // +optional + ingressClassName?: null | string @go(IngressClassName,*string) @protobuf(4,bytes,opt) + + // defaultBackend is the backend that should handle requests that don't + // match any rule. If Rules are not specified, DefaultBackend must be specified. + // If DefaultBackend is not set, the handling of requests that do not match any + // of the rules will be up to the Ingress controller. + // +optional + defaultBackend?: null | #IngressBackend @go(DefaultBackend,*IngressBackend) @protobuf(1,bytes,opt) + + // tls represents the TLS configuration. Currently the Ingress only supports a + // single TLS port, 443. If multiple members of this list specify different hosts, + // they will be multiplexed on the same port according to the hostname specified + // through the SNI TLS extension, if the ingress controller fulfilling the + // ingress supports SNI. + // +listType=atomic + // +optional + tls?: [...#IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep) + + // rules is a list of host rules used to configure the Ingress. If unspecified, + // or no rule matches, all traffic is sent to the default backend. + // +listType=atomic + // +optional + rules?: [...#IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep) +} + +// IngressTLS describes the transport layer security associated with an ingress. +#IngressTLS: { + // hosts is a list of hosts included in the TLS certificate. The values in + // this list must match the name/s used in the tlsSecret. Defaults to the + // wildcard host setting for the loadbalancer controller fulfilling this + // Ingress, if left unspecified. + // +listType=atomic + // +optional + hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep) + + // secretName is the name of the secret used to terminate TLS traffic on + // port 443. Field is left optional to allow TLS routing based on SNI + // hostname alone. If the SNI host in a listener conflicts with the "Host" + // header field used by an IngressRule, the SNI host is used for termination + // and value of the "Host" header is used for routing. + // +optional + secretName?: string @go(SecretName) @protobuf(2,bytes,opt) +} + +// IngressStatus describe the current state of the Ingress. +#IngressStatus: { + // loadBalancer contains the current status of the load-balancer. + // +optional + loadBalancer?: #IngressLoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) +} + +// IngressLoadBalancerStatus represents the status of a load-balancer. +#IngressLoadBalancerStatus: { + // ingress is a list containing ingress points for the load-balancer. + // +optional + ingress?: [...#IngressLoadBalancerIngress] @go(Ingress,[]IngressLoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// IngressLoadBalancerIngress represents the status of a load-balancer ingress point. +#IngressLoadBalancerIngress: { + // ip is set for load-balancer ingress points that are IP based. + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // hostname is set for load-balancer ingress points that are DNS based. + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // ports provides information about the ports exposed by this LoadBalancer. + // +listType=atomic + // +optional + ports?: [...#IngressPortStatus] @go(Ports,[]IngressPortStatus) @protobuf(4,bytes,rep) +} + +// IngressPortStatus represents the error condition of a service port +#IngressPortStatus: { + // port is the port number of the ingress port. + port: int32 @go(Port) @protobuf(1,varint,opt) + + // protocol is the protocol of the ingress port. + // The supported values are: "TCP", "UDP", "SCTP" + protocol: v1.#Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} + +// IngressRule represents the rules mapping the paths under a specified host to +// the related backend services. Incoming requests are first evaluated for a host +// match, then routed to the backend associated with the matching IngressRuleValue. +#IngressRule: { + // host is the fully qualified domain name of a network host, as defined by RFC 3986. + // Note the following deviations from the "host" part of the + // URI as defined in RFC 3986: + // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to + // the IP in the Spec of the parent Ingress. + // 2. The `:` delimiter is not respected because ports are not allowed. + // Currently the port of an Ingress is implicitly :80 for http and + // :443 for https. + // Both these may change in the future. + // Incoming requests are matched against the host before the + // IngressRuleValue. If the host is unspecified, the Ingress routes all + // traffic based on the specified IngressRuleValue. + // + // host can be "precise" which is a domain name without the terminating dot of + // a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name + // prefixed with a single wildcard label (e.g. "*.foo.com"). + // The wildcard character '*' must appear by itself as the first DNS label and + // matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). + // Requests will be matched against the Host field in the following way: + // 1. If host is precise, the request matches this rule if the http host header is equal to Host. + // 2. If host is a wildcard, then the request matches this rule if the http host header + // is to equal to the suffix (removing the first label) of the wildcard rule. + // +optional + host?: string @go(Host) @protobuf(1,bytes,opt) + + #IngressRuleValue +} + +// IngressRuleValue represents a rule to apply against incoming requests. If the +// rule is satisfied, the request is routed to the specified backend. Currently +// mixing different types of rules in a single Ingress is disallowed, so exactly +// one of the following must be set. +#IngressRuleValue: { + // +optional + http?: null | #HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt) +} + +// HTTPIngressRuleValue is a list of http selectors pointing to backends. +// In the example: http:///? -> backend where +// where parts of the url correspond to RFC 3986, this resource will be used +// to match against everything after the last '/' and before the first '?' +// or '#'. +#HTTPIngressRuleValue: { + // paths is a collection of paths that map requests to backends. + // +listType=atomic + paths: [...#HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep) +} + +// PathType represents the type of path referred to by a HTTPIngressPath. +// +enum +#PathType: string // #enumPathType + +#enumPathType: + #PathTypeExact | + #PathTypePrefix | + #PathTypeImplementationSpecific + +// PathTypeExact matches the URL path exactly and with case sensitivity. +#PathTypeExact: #PathType & "Exact" + +// PathTypePrefix matches based on a URL path prefix split by '/'. Matching +// is case sensitive and done on a path element by element basis. A path +// element refers to the list of labels in the path split by the '/' +// separator. A request is a match for path p if every p is an element-wise +// prefix of p of the request path. Note that if the last element of the +// path is a substring of the last element in request path, it is not a +// match (e.g. /foo/bar matches /foo/bar/baz, but does not match +// /foo/barbaz). If multiple matching paths exist in an Ingress spec, the +// longest matching path is given priority. +// Examples: +// - /foo/bar does not match requests to /foo/barbaz +// - /foo/bar matches request to /foo/bar and /foo/bar/baz +// - /foo and /foo/ both match requests to /foo and /foo/. If both paths are +// present in an Ingress spec, the longest matching path (/foo/) is given +// priority. +#PathTypePrefix: #PathType & "Prefix" + +// PathTypeImplementationSpecific matching is up to the IngressClass. +// Implementations can treat this as a separate PathType or treat it +// identically to Prefix or Exact path types. +#PathTypeImplementationSpecific: #PathType & "ImplementationSpecific" + +// HTTPIngressPath associates a path with a backend. Incoming urls matching the +// path are forwarded to the backend. +#HTTPIngressPath: { + // path is matched against the path of an incoming request. Currently it can + // contain characters disallowed from the conventional "path" part of a URL + // as defined by RFC 3986. Paths must begin with a '/' and must be present + // when using PathType with value "Exact" or "Prefix". + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // pathType determines the interpretation of the path matching. PathType can + // be one of the following values: + // * Exact: Matches the URL path exactly. + // * Prefix: Matches based on a URL path prefix split by '/'. Matching is + // done on a path element by element basis. A path element refers is the + // list of labels in the path split by the '/' separator. A request is a + // match for path p if every p is an element-wise prefix of p of the + // request path. Note that if the last element of the path is a substring + // of the last element in request path, it is not a match (e.g. /foo/bar + // matches /foo/bar/baz, but does not match /foo/barbaz). + // * ImplementationSpecific: Interpretation of the Path matching is up to + // the IngressClass. Implementations can treat this as a separate PathType + // or treat it identically to Prefix or Exact path types. + // Implementations are required to support all path types. + pathType?: null | #PathType @go(PathType,*PathType) @protobuf(3,bytes,opt) + + // backend defines the referenced service endpoint to which the traffic + // will be forwarded to. + backend: #IngressBackend @go(Backend) @protobuf(2,bytes,opt) +} + +// IngressBackend describes all endpoints for a given service and port. +#IngressBackend: { + // service references a service as a backend. + // This is a mutually exclusive setting with "Resource". + // +optional + service?: null | #IngressServiceBackend @go(Service,*IngressServiceBackend) @protobuf(4,bytes,opt) + + // resource is an ObjectRef to another Kubernetes resource in the namespace + // of the Ingress object. If resource is specified, a service.Name and + // service.Port must not be specified. + // This is a mutually exclusive setting with "Service". + // +optional + resource?: null | v1.#TypedLocalObjectReference @go(Resource,*v1.TypedLocalObjectReference) @protobuf(3,bytes,opt) +} + +// IngressServiceBackend references a Kubernetes Service as a Backend. +#IngressServiceBackend: { + // name is the referenced service. The service must exist in + // the same namespace as the Ingress object. + name: string @go(Name) @protobuf(1,bytes,opt) + + // port of the referenced service. A port name or port number + // is required for a IngressServiceBackend. + port?: #ServiceBackendPort @go(Port) @protobuf(2,bytes,opt) +} + +// ServiceBackendPort is the service port being referenced. +#ServiceBackendPort: { + // name is the name of the port on the Service. + // This is a mutually exclusive setting with "Number". + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // number is the numerical port number (e.g. 80) on the Service. + // This is a mutually exclusive setting with "Name". + // +optional + number?: int32 @go(Number) @protobuf(2,bytes,opt) +} + +// IngressClass represents the class of the Ingress, referenced by the Ingress +// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be +// used to indicate that an IngressClass should be considered default. When a +// single IngressClass resource has this annotation set to true, new Ingress +// resources without a class specified will be assigned this default class. +#IngressClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the IngressClass. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressClassSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// IngressClassSpec provides information about the class of an Ingress. +#IngressClassSpec: { + // controller refers to the name of the controller that should handle this + // class. This allows for different "flavors" that are controlled by the + // same controller. For example, you may have different parameters for the + // same implementing controller. This should be specified as a + // domain-prefixed path no more than 250 characters in length, e.g. + // "acme.io/ingress-controller". This field is immutable. + controller?: string @go(Controller) @protobuf(1,bytes,opt) + + // parameters is a link to a custom resource containing additional + // configuration for the controller. This is optional if the controller does + // not require extra parameters. + // +optional + parameters?: null | #IngressClassParametersReference @go(Parameters,*IngressClassParametersReference) @protobuf(2,bytes,opt) +} + +// IngressClassParametersReferenceScopeNamespace indicates that the +// referenced Parameters resource is namespace-scoped. +#IngressClassParametersReferenceScopeNamespace: "Namespace" + +// IngressClassParametersReferenceScopeCluster indicates that the +// referenced Parameters resource is cluster-scoped. +#IngressClassParametersReferenceScopeCluster: "Cluster" + +// IngressClassParametersReference identifies an API object. This can be used +// to specify a cluster or namespace-scoped resource. +#IngressClassParametersReference: { + // apiGroup is the group for the resource being referenced. If APIGroup is + // not specified, the specified Kind must be in the core API group. For any + // other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt,name=aPIGroup) + + // kind is the type of resource being referenced. + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // name is the name of resource being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // scope represents if this refers to a cluster or namespace scoped resource. + // This may be set to "Cluster" (default) or "Namespace". + // +optional + scope?: null | string @go(Scope,*string) @protobuf(4,bytes,opt) + + // namespace is the namespace of the resource being referenced. This field is + // required when scope is set to "Namespace" and must be unset when scope is set to + // "Cluster". + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(5,bytes,opt) +} + +// IngressClassList is a collection of IngressClasses. +#IngressClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of IngressClasses. + items: [...#IngressClass] @go(Items,[]IngressClass) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue b/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue new file mode 100644 index 0000000..bee74f4 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue @@ -0,0 +1,11 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +// AnnotationIsDefaultIngressClass can be used to indicate that an +// IngressClass should be considered default. When a single IngressClass +// resource has this annotation set to true, new Ingress resources without a +// class specified will be assigned this default class. +#AnnotationIsDefaultIngressClass: "ingressclass.kubernetes.io/is-default-class" diff --git a/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue new file mode 100644 index 0000000..5969b44 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +#GroupName: "node.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue new file mode 100644 index 0000000..3934557 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue @@ -0,0 +1,90 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// RuntimeClass defines a class of container runtime supported in the cluster. +// The RuntimeClass is used to determine which container runtime is used to run +// all containers in a pod. RuntimeClasses are manually defined by a +// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is +// responsible for resolving the RuntimeClassName reference before running the +// pod. For more details, see +// https://kubernetes.io/docs/concepts/containers/runtime-class/ +#RuntimeClass: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // handler specifies the underlying runtime and configuration that the CRI + // implementation will use to handle pods of this class. The possible values + // are specific to the node & CRI configuration. It is assumed that all + // handlers are available on every node, and handlers of the same name are + // equivalent on every node. + // For example, a handler called "runc" might specify that the runc OCI + // runtime (using native Linux containers) will be used to run the containers + // in a pod. + // The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, + // and is immutable. + handler: string @go(Handler) @protobuf(2,bytes,opt) + + // overhead represents the resource overhead associated with running a pod for a + // given RuntimeClass. For more details, see + // https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/ + // +optional + overhead?: null | #Overhead @go(Overhead,*Overhead) @protobuf(3,bytes,opt) + + // scheduling holds the scheduling constraints to ensure that pods running + // with this RuntimeClass are scheduled to nodes that support it. + // If scheduling is nil, this RuntimeClass is assumed to be supported by all + // nodes. + // +optional + scheduling?: null | #Scheduling @go(Scheduling,*Scheduling) @protobuf(4,bytes,opt) +} + +// Overhead structure represents the resource overhead associated with running a pod. +#Overhead: { + // podFixed represents the fixed resource overhead associated with running a pod. + // +optional + podFixed?: corev1.#ResourceList @go(PodFixed) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName,castvalue=k8s.io/apimachinery/pkg/api/resource.Quantity) +} + +// Scheduling specifies the scheduling constraints for nodes supporting a +// RuntimeClass. +#Scheduling: { + // nodeSelector lists labels that must be present on nodes that support this + // RuntimeClass. Pods using this RuntimeClass can only be scheduled to a + // node matched by this selector. The RuntimeClass nodeSelector is merged + // with a pod's existing nodeSelector. Any conflicts will cause the pod to + // be rejected in admission. + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(1,bytes,opt) + + // tolerations are appended (excluding duplicates) to pods running with this + // RuntimeClass during admission, effectively unioning the set of nodes + // tolerated by the pod and the RuntimeClass. + // +optional + // +listType=atomic + tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration) @protobuf(2,bytes,rep) +} + +// RuntimeClassList is a list of RuntimeClass objects. +#RuntimeClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#RuntimeClass] @go(Items,[]RuntimeClass) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue b/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue new file mode 100644 index 0000000..dedcdc3 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue @@ -0,0 +1,8 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +// Package policy is for any kind of policy object. Suitable examples, even if +// they aren't all here, are PodDisruptionBudget, PodSecurityPolicy, +// NetworkPolicy, etc. +package v1 diff --git a/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue new file mode 100644 index 0000000..e38fa37 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +#GroupName: "policy" diff --git a/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue new file mode 100644 index 0000000..5901cc6 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue @@ -0,0 +1,204 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +#DisruptionBudgetCause: metav1.#CauseType & "DisruptionBudget" + +// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. +#PodDisruptionBudgetSpec: { + // An eviction is allowed if at least "minAvailable" pods selected by + // "selector" will still be available after the eviction, i.e. even in the + // absence of the evicted pod. So for example you can prevent all voluntary + // evictions by specifying "100%". + // +optional + minAvailable?: null | intstr.#IntOrString @go(MinAvailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // Label query over pods whose evictions are managed by the disruption + // budget. + // A null selector will match no pods, while an empty ({}) selector will select + // all pods within the namespace. + // +patchStrategy=replace + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // An eviction is allowed if at most "maxUnavailable" pods selected by + // "selector" are unavailable after the eviction, i.e. even in absence of + // the evicted pod. For example, one can prevent all voluntary evictions + // by specifying 0. This is a mutually exclusive setting with "minAvailable". + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(3,bytes,opt) + + // UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods + // should be considered for eviction. Current implementation considers healthy pods, + // as pods that have status.conditions item with type="Ready",status="True". + // + // Valid policies are IfHealthyBudget and AlwaysAllow. + // If no policy is specified, the default behavior will be used, + // which corresponds to the IfHealthyBudget policy. + // + // IfHealthyBudget policy means that running pods (status.phase="Running"), + // but not yet healthy can be evicted only if the guarded application is not + // disrupted (status.currentHealthy is at least equal to status.desiredHealthy). + // Healthy pods will be subject to the PDB for eviction. + // + // AlwaysAllow policy means that all running pods (status.phase="Running"), + // but not yet healthy are considered disrupted and can be evicted regardless + // of whether the criteria in a PDB is met. This means perspective running + // pods of a disrupted application might not get a chance to become healthy. + // Healthy pods will be subject to the PDB for eviction. + // + // Additional policies may be added in the future. + // Clients making eviction decisions should disallow eviction of unhealthy pods + // if they encounter an unrecognized policy in this field. + // + // This field is beta-level. The eviction API uses this field when + // the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default). + // +optional + unhealthyPodEvictionPolicy?: null | #UnhealthyPodEvictionPolicyType @go(UnhealthyPodEvictionPolicy,*UnhealthyPodEvictionPolicyType) @protobuf(4,bytes,opt) +} + +// UnhealthyPodEvictionPolicyType defines the criteria for when unhealthy pods +// should be considered for eviction. +// +enum +#UnhealthyPodEvictionPolicyType: string // #enumUnhealthyPodEvictionPolicyType + +#enumUnhealthyPodEvictionPolicyType: + #IfHealthyBudget | + #AlwaysAllow + +// IfHealthyBudget policy means that running pods (status.phase="Running"), +// but not yet healthy can be evicted only if the guarded application is not +// disrupted (status.currentHealthy is at least equal to status.desiredHealthy). +// Healthy pods will be subject to the PDB for eviction. +#IfHealthyBudget: #UnhealthyPodEvictionPolicyType & "IfHealthyBudget" + +// AlwaysAllow policy means that all running pods (status.phase="Running"), +// but not yet healthy are considered disrupted and can be evicted regardless +// of whether the criteria in a PDB is met. This means perspective running +// pods of a disrupted application might not get a chance to become healthy. +// Healthy pods will be subject to the PDB for eviction. +#AlwaysAllow: #UnhealthyPodEvictionPolicyType & "AlwaysAllow" + +// PodDisruptionBudgetStatus represents information about the status of a +// PodDisruptionBudget. Status may trail the actual state of a system. +#PodDisruptionBudgetStatus: { + // Most recent generation observed when updating this PDB status. DisruptionsAllowed and other + // status information is valid only if observedGeneration equals to PDB's object generation. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // DisruptedPods contains information about pods whose eviction was + // processed by the API server eviction subresource handler but has not + // yet been observed by the PodDisruptionBudget controller. + // A pod will be in this map from the time when the API server processed the + // eviction request to the time when the pod is seen by PDB controller + // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod + // and the value is the time when the API server processed the eviction request. If + // the deletion didn't occur and a pod is still there it will be removed from + // the list automatically by PodDisruptionBudget controller after some time. + // If everything goes smooth this map should be empty for the most of the time. + // Large number of entries in the map may indicate problems with pod deletions. + // +optional + disruptedPods?: {[string]: metav1.#Time} @go(DisruptedPods,map[string]metav1.Time) @protobuf(2,bytes,rep) + + // Number of pod disruptions that are currently allowed. + disruptionsAllowed: int32 @go(DisruptionsAllowed) @protobuf(3,varint,opt) + + // current number of healthy pods + currentHealthy: int32 @go(CurrentHealthy) @protobuf(4,varint,opt) + + // minimum desired number of healthy pods + desiredHealthy: int32 @go(DesiredHealthy) @protobuf(5,varint,opt) + + // total number of pods counted by this disruption budget + expectedPods: int32 @go(ExpectedPods) @protobuf(6,varint,opt) + + // Conditions contain conditions for PDB. The disruption controller sets the + // DisruptionAllowed condition. The following are known values for the reason field + // (additional reasons could be added in the future): + // - SyncFailed: The controller encountered an error and wasn't able to compute + // the number of allowed disruptions. Therefore no disruptions are + // allowed and the status of the condition will be False. + // - InsufficientPods: The number of pods are either at or below the number + // required by the PodDisruptionBudget. No disruptions are + // allowed and the status of the condition will be False. + // - SufficientPods: There are more pods than required by the PodDisruptionBudget. + // The condition will be True, and the number of allowed + // disruptions are provided by the disruptionsAllowed property. + // + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(7,bytes,rep) +} + +// DisruptionAllowedCondition is a condition set by the disruption controller +// that signal whether any of the pods covered by the PDB can be disrupted. +#DisruptionAllowedCondition: "DisruptionAllowed" + +// SyncFailedReason is set on the DisruptionAllowed condition if reconcile +// of the PDB failed and therefore disruption of pods are not allowed. +#SyncFailedReason: "SyncFailed" + +// SufficientPodsReason is set on the DisruptionAllowed condition if there are +// more pods covered by the PDB than required and at least one can be disrupted. +#SufficientPodsReason: "SufficientPods" + +// InsufficientPodsReason is set on the DisruptionAllowed condition if the number +// of pods are equal to or fewer than required by the PDB. +#InsufficientPodsReason: "InsufficientPods" + +// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods +#PodDisruptionBudget: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the PodDisruptionBudget. + // +optional + spec?: #PodDisruptionBudgetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the PodDisruptionBudget. + // +optional + status?: #PodDisruptionBudgetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodDisruptionBudgetList is a collection of PodDisruptionBudgets. +#PodDisruptionBudgetList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of PodDisruptionBudgets + items: [...#PodDisruptionBudget] @go(Items,[]PodDisruptionBudget) @protobuf(2,bytes,rep) +} + +// Eviction evicts a pod from its node subject to certain policies and safety constraints. +// This is a subresource of Pod. A request to cause such an eviction is +// created by POSTing to .../pods//evictions. +#Eviction: { + metav1.#TypeMeta + + // ObjectMeta describes the pod that is being evicted. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // DeleteOptions may be provided + // +optional + deleteOptions?: null | metav1.#DeleteOptions @go(DeleteOptions,*metav1.DeleteOptions) @protobuf(2,bytes,opt) +} diff --git a/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue new file mode 100644 index 0000000..1c83e8b --- /dev/null +++ b/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +#GroupName: "rbac.authorization.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue new file mode 100644 index 0000000..521e355 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue @@ -0,0 +1,207 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +#APIGroupAll: "*" +#ResourceAll: "*" +#VerbAll: "*" +#NonResourceAll: "*" +#GroupKind: "Group" +#ServiceAccountKind: "ServiceAccount" +#UserKind: "User" + +// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" +#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate" + +// PolicyRule holds information that describes a policy rule, but does not contain information +// about who the rule applies to or which namespace the rule applies to. +#PolicyRule: { + // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. '*' represents all resources. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path + // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. + // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep) +} + +// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, +// or a value for non-objects such as user and group names. +// +structType=atomic +#Subject: { + // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + // If the Authorizer does not recognized the kind value, the Authorizer should report an error. + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // APIGroup holds the API group of the referenced subject. + // Defaults to "" for ServiceAccount subjects. + // Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + // +optional + apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup) + + // Name of the object being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + // the Authorizer should report an error. + // +optional + namespace?: string @go(Namespace) @protobuf(4,bytes,opt) +} + +// RoleRef contains information that points to the role being used +// +structType=atomic +#RoleRef: { + // APIGroup is the group for the resource being referenced + apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. +#Role: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this Role + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) +} + +// RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. +// It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given +// namespace only have effect in that namespace. +#RoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// RoleBindingList is a collection of RoleBindings +#RoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of RoleBindings + items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep) +} + +// RoleList is a collection of Roles +#RoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of Roles + items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep) +} + +// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. +#ClusterRole: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this ClusterRole + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) + + // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. + // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be + // stomped by the controller. + // +optional + aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt) +} + +// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole +#AggregationRule: { + // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. + // If any of the selectors match, then the ClusterRole's permissions will be added + // +optional + clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep) +} + +// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, +// and adds who information via Subject. +#ClusterRoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can only reference a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// ClusterRoleBindingList is a collection of ClusterRoleBindings +#ClusterRoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoleBindings + items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep) +} + +// ClusterRoleList is a collection of ClusterRoles +#ClusterRoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoles + items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue new file mode 100644 index 0000000..8cc2b5f --- /dev/null +++ b/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +#GroupName: "scheduling.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue new file mode 100644 index 0000000..1d8f957 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue @@ -0,0 +1,57 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiv1 "k8s.io/api/core/v1" +) + +// PriorityClass defines mapping from a priority class name to the priority +// integer value. The value can be any valid integer. +#PriorityClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // value represents the integer value of this priority class. This is the actual priority that pods + // receive when they have the name of this class in their pod spec. + value: int32 @go(Value) @protobuf(2,bytes,opt) + + // globalDefault specifies whether this PriorityClass should be considered as + // the default priority for pods that do not have any priority class. + // Only one PriorityClass can be marked as `globalDefault`. However, if more than + // one PriorityClasses exists with their `globalDefault` field set to true, + // the smallest value of such global default PriorityClasses will be used as the default priority. + // +optional + globalDefault?: bool @go(GlobalDefault) @protobuf(3,bytes,opt) + + // description is an arbitrary string that usually provides guidelines on + // when this priority class should be used. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // preemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | apiv1.#PreemptionPolicy @go(PreemptionPolicy,*apiv1.PreemptionPolicy) @protobuf(5,bytes,opt) +} + +// PriorityClassList is a collection of priority classes. +#PriorityClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of PriorityClasses + items: [...#PriorityClass] @go(Items,[]PriorityClass) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue new file mode 100644 index 0000000..641ce60 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +#GroupName: "storage.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue new file mode 100644 index 0000000..b515865 --- /dev/null +++ b/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue @@ -0,0 +1,652 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// StorageClass describes the parameters for a class of storage for +// which PersistentVolumes can be dynamically provisioned. +// +// StorageClasses are non-namespaced; the name of the storage class +// according to etcd is in ObjectMeta.Name. +#StorageClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // provisioner indicates the type of the provisioner. + provisioner: string @go(Provisioner) @protobuf(2,bytes,opt) + + // parameters holds the parameters for the provisioner that should + // create volumes of this storage class. + // +optional + parameters?: {[string]: string} @go(Parameters,map[string]string) @protobuf(3,bytes,rep) + + // reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. + // Defaults to Delete. + // +optional + reclaimPolicy?: null | v1.#PersistentVolumeReclaimPolicy @go(ReclaimPolicy,*v1.PersistentVolumeReclaimPolicy) @protobuf(4,bytes,opt,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy) + + // mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. + // e.g. ["ro", "soft"]. Not validated - + // mount of the PVs will simply fail if one is invalid. + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(5,bytes,opt) + + // allowVolumeExpansion shows whether the storage class allow volume expand. + // +optional + allowVolumeExpansion?: null | bool @go(AllowVolumeExpansion,*bool) @protobuf(6,varint,opt) + + // volumeBindingMode indicates how PersistentVolumeClaims should be + // provisioned and bound. When unset, VolumeBindingImmediate is used. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + volumeBindingMode?: null | #VolumeBindingMode @go(VolumeBindingMode,*VolumeBindingMode) @protobuf(7,bytes,opt) + + // allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. + // Each volume plugin defines its own supported topology specifications. + // An empty TopologySelectorTerm list means there is no topology restriction. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + // +listType=atomic + allowedTopologies?: [...v1.#TopologySelectorTerm] @go(AllowedTopologies,[]v1.TopologySelectorTerm) @protobuf(8,bytes,rep) +} + +// StorageClassList is a collection of storage classes. +#StorageClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of StorageClasses + items: [...#StorageClass] @go(Items,[]StorageClass) @protobuf(2,bytes,rep) +} + +// VolumeBindingMode indicates how PersistentVolumeClaims should be bound. +// +enum +#VolumeBindingMode: string // #enumVolumeBindingMode + +#enumVolumeBindingMode: + #VolumeBindingImmediate | + #VolumeBindingWaitForFirstConsumer + +// VolumeBindingImmediate indicates that PersistentVolumeClaims should be +// immediately provisioned and bound. This is the default mode. +#VolumeBindingImmediate: #VolumeBindingMode & "Immediate" + +// VolumeBindingWaitForFirstConsumer indicates that PersistentVolumeClaims +// should not be provisioned and bound until the first Pod is created that +// references the PeristentVolumeClaim. The volume provisioning and +// binding will occur during Pod scheduing. +#VolumeBindingWaitForFirstConsumer: #VolumeBindingMode & "WaitForFirstConsumer" + +// VolumeAttachment captures the intent to attach or detach the specified volume +// to/from the specified node. +// +// VolumeAttachment objects are non-namespaced. +#VolumeAttachment: { + metav1.#TypeMeta + + // Standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents specification of the desired attach/detach volume behavior. + // Populated by the Kubernetes system. + spec: #VolumeAttachmentSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents status of the VolumeAttachment request. + // Populated by the entity completing the attach or detach + // operation, i.e. the external-attacher. + // +optional + status?: #VolumeAttachmentStatus @go(Status) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentList is a collection of VolumeAttachment objects. +#VolumeAttachmentList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of VolumeAttachments + items: [...#VolumeAttachment] @go(Items,[]VolumeAttachment) @protobuf(2,bytes,rep) +} + +// VolumeAttachmentSpec is the specification of a VolumeAttachment request. +#VolumeAttachmentSpec: { + // attacher indicates the name of the volume driver that MUST handle this + // request. This is the name returned by GetPluginName(). + attacher: string @go(Attacher) @protobuf(1,bytes,opt) + + // source represents the volume that should be attached. + source: #VolumeAttachmentSource @go(Source) @protobuf(2,bytes,opt) + + // nodeName represents the node that the volume should be attached to. + nodeName: string @go(NodeName) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentSource represents a volume that should be attached. +// Right now only PersistenVolumes can be attached via external attacher, +// in future we may allow also inline volumes in pods. +// Exactly one member can be set. +#VolumeAttachmentSource: { + // persistentVolumeName represents the name of the persistent volume to attach. + // +optional + persistentVolumeName?: null | string @go(PersistentVolumeName,*string) @protobuf(1,bytes,opt) + + // inlineVolumeSpec contains all the information necessary to attach + // a persistent volume defined by a pod's inline VolumeSource. This field + // is populated only for the CSIMigration feature. It contains + // translated fields from a pod's inline VolumeSource to a + // PersistentVolumeSpec. This field is beta-level and is only + // honored by servers that enabled the CSIMigration feature. + // +optional + inlineVolumeSpec?: null | v1.#PersistentVolumeSpec @go(InlineVolumeSpec,*v1.PersistentVolumeSpec) @protobuf(2,bytes,opt) +} + +// VolumeAttachmentStatus is the status of a VolumeAttachment request. +#VolumeAttachmentStatus: { + // attached indicates the volume is successfully attached. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + attached: bool @go(Attached) @protobuf(1,varint,opt) + + // attachmentMetadata is populated with any + // information returned by the attach operation, upon successful attach, that must be passed + // into subsequent WaitForAttach or Mount calls. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachmentMetadata?: {[string]: string} @go(AttachmentMetadata,map[string]string) @protobuf(2,bytes,rep) + + // attachError represents the last error encountered during attach operation, if any. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachError?: null | #VolumeError @go(AttachError,*VolumeError) @protobuf(3,bytes,opt,casttype=VolumeError) + + // detachError represents the last error encountered during detach operation, if any. + // This field must only be set by the entity completing the detach + // operation, i.e. the external-attacher. + // +optional + detachError?: null | #VolumeError @go(DetachError,*VolumeError) @protobuf(4,bytes,opt,casttype=VolumeError) +} + +// VolumeError captures an error encountered during a volume operation. +#VolumeError: { + // time represents the time the error was encountered. + // +optional + time?: metav1.#Time @go(Time) @protobuf(1,bytes,opt) + + // message represents the error encountered during Attach or Detach operation. + // This string may be logged, so it should not contain sensitive + // information. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// CSIDriver captures information about a Container Storage Interface (CSI) +// volume driver deployed on the cluster. +// Kubernetes attach detach controller uses this object to determine whether attach is required. +// Kubelet uses this object to determine whether pod information needs to be passed on mount. +// CSIDriver objects are non-namespaced. +#CSIDriver: { + metav1.#TypeMeta + + // Standard object metadata. + // metadata.Name indicates the name of the CSI driver that this object + // refers to; it MUST be the same name returned by the CSI GetPluginName() + // call for that driver. + // The driver name must be 63 characters or less, beginning and ending with + // an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and + // alphanumerics between. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the CSI Driver. + spec: #CSIDriverSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSIDriverList is a collection of CSIDriver objects. +#CSIDriverList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIDriver + items: [...#CSIDriver] @go(Items,[]CSIDriver) @protobuf(2,bytes,rep) +} + +// CSIDriverSpec is the specification of a CSIDriver. +#CSIDriverSpec: { + // attachRequired indicates this CSI volume driver requires an attach + // operation (because it implements the CSI ControllerPublishVolume() + // method), and that the Kubernetes attach detach controller should call + // the attach volume interface which checks the volumeattachment status + // and waits until the volume is attached before proceeding to mounting. + // The CSI external-attacher coordinates with CSI volume driver and updates + // the volumeattachment status when the attach operation is complete. + // If the CSIDriverRegistry feature gate is enabled and the value is + // specified to false, the attach operation will be skipped. + // Otherwise the attach operation will be called. + // + // This field is immutable. + // + // +optional + attachRequired?: null | bool @go(AttachRequired,*bool) @protobuf(1,varint,opt) + + // podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) + // during mount operations, if set to true. + // If set to false, pod information will not be passed on mount. + // Default is false. + // + // The CSI driver specifies podInfoOnMount as part of driver deployment. + // If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. + // The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. + // + // The following VolumeConext will be passed if podInfoOnMount is set to true. + // This list might grow, but the prefix will be used. + // "csi.storage.k8s.io/pod.name": pod.Name + // "csi.storage.k8s.io/pod.namespace": pod.Namespace + // "csi.storage.k8s.io/pod.uid": string(pod.UID) + // "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume + // defined by a CSIVolumeSource, otherwise "false" + // + // "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only + // required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. + // Other drivers can leave pod info disabled and/or ignore this field. + // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when + // deployed on such a cluster and the deployment determines which mode that is, for example + // via a command line parameter of the driver. + // + // This field is immutable. + // + // +optional + podInfoOnMount?: null | bool @go(PodInfoOnMount,*bool) @protobuf(2,bytes,opt) + + // volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. + // The default if the list is empty is "Persistent", which is the usage defined by the + // CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. + // + // The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec + // with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. + // A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. + // + // For more information about implementing this mode, see + // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html + // A driver can support one or more of these modes and more modes may be added in the future. + // + // This field is beta. + // This field is immutable. + // + // +optional + // +listType=set + volumeLifecycleModes?: [...#VolumeLifecycleMode] @go(VolumeLifecycleModes,[]VolumeLifecycleMode) @protobuf(3,bytes,opt) + + // storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage + // capacity that the driver deployment will report by creating + // CSIStorageCapacity objects with capacity information, if set to true. + // + // The check can be enabled immediately when deploying a driver. + // In that case, provisioning new volumes with late binding + // will pause until the driver deployment has published + // some suitable CSIStorageCapacity object. + // + // Alternatively, the driver can be deployed with the field + // unset or false and it can be flipped later when storage + // capacity information has been published. + // + // This field was immutable in Kubernetes <= 1.22 and now is mutable. + // + // +optional + // +featureGate=CSIStorageCapacity + storageCapacity?: null | bool @go(StorageCapacity,*bool) @protobuf(4,bytes,opt) + + // fsGroupPolicy defines if the underlying volume supports changing ownership and + // permission of the volume before being mounted. + // Refer to the specific FSGroupPolicy values for additional details. + // + // This field is immutable. + // + // Defaults to ReadWriteOnceWithFSType, which will examine each volume + // to determine if Kubernetes should modify ownership and permissions of the volume. + // With the default policy the defined fsGroup will only be applied + // if a fstype is defined and the volume's access mode contains ReadWriteOnce. + // + // +optional + fsGroupPolicy?: null | #FSGroupPolicy @go(FSGroupPolicy,*FSGroupPolicy) @protobuf(5,bytes,opt) + + // tokenRequests indicates the CSI driver needs pods' service account + // tokens it is mounting volume for to do necessary authentication. Kubelet + // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. + // The CSI driver should parse and validate the following VolumeContext: + // "csi.storage.k8s.io/serviceAccount.tokens": { + // "": { + // "token": , + // "expirationTimestamp": , + // }, + // ... + // } + // + // Note: Audience in each TokenRequest should be different and at + // most one token is empty string. To receive a new token after expiry, + // RequiresRepublish can be used to trigger NodePublishVolume periodically. + // + // +optional + // +listType=atomic + tokenRequests?: [...#TokenRequest] @go(TokenRequests,[]TokenRequest) @protobuf(6,bytes,opt) + + // requiresRepublish indicates the CSI driver wants `NodePublishVolume` + // being periodically called to reflect any possible change in the mounted + // volume. This field defaults to false. + // + // Note: After a successful initial NodePublishVolume call, subsequent calls + // to NodePublishVolume should only update the contents of the volume. New + // mount points will not be seen by a running container. + // + // +optional + requiresRepublish?: null | bool @go(RequiresRepublish,*bool) @protobuf(7,varint,opt) + + // seLinuxMount specifies if the CSI driver supports "-o context" + // mount option. + // + // When "true", the CSI driver must ensure that all volumes provided by this CSI + // driver can be mounted separately with different `-o context` options. This is + // typical for storage backends that provide volumes as filesystems on block + // devices or as independent shared volumes. + // Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount + // option when mounting a ReadWriteOncePod volume used in Pod that has + // explicitly set SELinux context. In the future, it may be expanded to other + // volume AccessModes. In any case, Kubernetes will ensure that the volume is + // mounted only with a single SELinux context. + // + // When "false", Kubernetes won't pass any special SELinux mount options to the driver. + // This is typical for volumes that represent subdirectories of a bigger shared filesystem. + // + // Default is "false". + // + // +featureGate=SELinuxMountReadWriteOncePod + // +optional + seLinuxMount?: null | bool @go(SELinuxMount,*bool) @protobuf(8,varint,opt) +} + +// FSGroupPolicy specifies if a CSI Driver supports modifying +// volume ownership and permissions of the volume to be mounted. +// More modes may be added in the future. +#FSGroupPolicy: string // #enumFSGroupPolicy + +#enumFSGroupPolicy: + #ReadWriteOnceWithFSTypeFSGroupPolicy | + #FileFSGroupPolicy | + #NoneFSGroupPolicy + +// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined +// to determine if the volume ownership and permissions +// should be modified. If a fstype is defined and the volume's access mode +// contains ReadWriteOnce, then the defined fsGroup will be applied. +// This mode should be defined if it's expected that the +// fsGroup may need to be modified depending on the pod's SecurityPolicy. +// This is the default behavior if no other FSGroupPolicy is defined. +#ReadWriteOnceWithFSTypeFSGroupPolicy: #FSGroupPolicy & "ReadWriteOnceWithFSType" + +// FileFSGroupPolicy indicates that CSI driver supports volume ownership +// and permission change via fsGroup, and Kubernetes will change the permissions +// and ownership of every file in the volume to match the user requested fsGroup in +// the pod's SecurityPolicy regardless of fstype or access mode. +// Use this mode if Kubernetes should modify the permissions and ownership +// of the volume. +#FileFSGroupPolicy: #FSGroupPolicy & "File" + +// NoneFSGroupPolicy indicates that volumes will be mounted without performing +// any ownership or permission modifications, as the CSIDriver does not support +// these operations. +// This mode should be selected if the CSIDriver does not support fsGroup modifications, +// for example when Kubernetes cannot change ownership and permissions on a volume due +// to root-squash settings on a NFS volume. +#NoneFSGroupPolicy: #FSGroupPolicy & "None" + +// VolumeLifecycleMode is an enumeration of possible usage modes for a volume +// provided by a CSI driver. More modes may be added in the future. +#VolumeLifecycleMode: string // #enumVolumeLifecycleMode + +#enumVolumeLifecycleMode: + #VolumeLifecyclePersistent | + #VolumeLifecycleEphemeral + +// TokenRequest contains parameters of a service account token. +#TokenRequest: { + // audience is the intended audience of the token in "TokenRequestSpec". + // It will default to the audiences of kube apiserver. + audience: string @go(Audience) @protobuf(1,bytes,opt) + + // expirationSeconds is the duration of validity of the token in "TokenRequestSpec". + // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec". + // + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) +} + +// VolumeLifecyclePersistent explicitly confirms that the driver implements +// the full CSI spec. It is the default when CSIDriverSpec.VolumeLifecycleModes is not +// set. Such volumes are managed in Kubernetes via the persistent volume +// claim mechanism and have a lifecycle that is independent of the pods which +// use them. +#VolumeLifecyclePersistent: #VolumeLifecycleMode & "Persistent" + +// VolumeLifecycleEphemeral indicates that the driver can be used for +// ephemeral inline volumes. Such volumes are specified inside the pod +// spec with a CSIVolumeSource and, as far as Kubernetes is concerned, have +// a lifecycle that is tied to the lifecycle of the pod. For example, such +// a volume might contain data that gets created specifically for that pod, +// like secrets. +// But how the volume actually gets created and managed is entirely up to +// the driver. It might also use reference counting to share the same volume +// instance among different pods if the CSIVolumeSource of those pods is +// identical. +#VolumeLifecycleEphemeral: #VolumeLifecycleMode & "Ephemeral" + +// CSINode holds information about all CSI drivers installed on a node. +// CSI drivers do not need to create the CSINode object directly. As long as +// they use the node-driver-registrar sidecar container, the kubelet will +// automatically populate the CSINode object for the CSI driver as part of +// kubelet plugin registration. +// CSINode has the same name as a node. If the object is missing, it means either +// there are no CSI Drivers available on the node, or the Kubelet version is low +// enough that it doesn't create this object. +// CSINode has an OwnerReference that points to the corresponding node object. +#CSINode: { + metav1.#TypeMeta + + // Standard object's metadata. + // metadata.name must be the Kubernetes node name. + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification of CSINode + spec: #CSINodeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSINodeSpec holds information about the specification of all CSI drivers installed on a node +#CSINodeSpec: { + // drivers is a list of information of all CSI Drivers existing on a node. + // If all drivers in the list are uninstalled, this can become empty. + // +patchMergeKey=name + // +patchStrategy=merge + drivers: [...#CSINodeDriver] @go(Drivers,[]CSINodeDriver) @protobuf(1,bytes,rep) +} + +// CSINodeDriver holds information about the specification of one CSI driver installed on a node +#CSINodeDriver: { + // name represents the name of the CSI driver that this object refers to. + // This MUST be the same name returned by the CSI GetPluginName() call for + // that driver. + name: string @go(Name) @protobuf(1,bytes,opt) + + // nodeID of the node from the driver point of view. + // This field enables Kubernetes to communicate with storage systems that do + // not share the same nomenclature for nodes. For example, Kubernetes may + // refer to a given node as "node1", but the storage system may refer to + // the same node as "nodeA". When Kubernetes issues a command to the storage + // system to attach a volume to a specific node, it can use this field to + // refer to the node name using the ID that the storage system will + // understand, e.g. "nodeA" instead of "node1". This field is required. + nodeID: string @go(NodeID) @protobuf(2,bytes,opt) + + // topologyKeys is the list of keys supported by the driver. + // When a driver is initialized on a cluster, it provides a set of topology + // keys that it understands (e.g. "company.com/zone", "company.com/region"). + // When a driver is initialized on a node, it provides the same topology keys + // along with values. Kubelet will expose these topology keys as labels + // on its own node object. + // When Kubernetes does topology aware provisioning, it can use this list to + // determine which labels it should retrieve from the node object and pass + // back to the driver. + // It is possible for different nodes to use different topology keys. + // This can be empty if driver does not support topology. + // +optional + topologyKeys: [...string] @go(TopologyKeys,[]string) @protobuf(3,bytes,rep) + + // allocatable represents the volume resources of a node that are available for scheduling. + // This field is beta. + // +optional + allocatable?: null | #VolumeNodeResources @go(Allocatable,*VolumeNodeResources) @protobuf(4,bytes,opt) +} + +// VolumeNodeResources is a set of resource limits for scheduling of volumes. +#VolumeNodeResources: { + // count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. + // A volume that is both attached and mounted on a node is considered to be used once, not twice. + // The same rule applies for a unique volume that is shared among multiple pods on the same node. + // If this field is not specified, then the supported number of volumes on this node is unbounded. + // +optional + count?: null | int32 @go(Count,*int32) @protobuf(1,varint,opt) +} + +// CSINodeList is a collection of CSINode objects. +#CSINodeList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSINode + items: [...#CSINode] @go(Items,[]CSINode) @protobuf(2,bytes,rep) +} + +// CSIStorageCapacity stores the result of one CSI GetCapacity call. +// For a given StorageClass, this describes the available capacity in a +// particular topology segment. This can be used when considering where to +// instantiate new PersistentVolumes. +// +// For example this can express things like: +// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" +// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123" +// +// The following three cases all imply that no capacity is available for +// a certain combination: +// - no object exists with suitable topology and storage class name +// - such an object exists, but the capacity is unset +// - such an object exists, but the capacity is zero +// +// The producer of these objects can decide which approach is more suitable. +// +// They are consumed by the kube-scheduler when a CSI driver opts into +// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler +// compares the MaximumVolumeSize against the requested size of pending volumes +// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back +// to a comparison against the less precise Capacity. If that is also unset, +// the scheduler assumes that capacity is insufficient and tries some other +// node. +#CSIStorageCapacity: { + metav1.#TypeMeta + + // Standard object's metadata. + // The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). + // To ensure that there are no conflicts with other CSI drivers on the cluster, + // the recommendation is to use csisc-, a generated name, or a reverse-domain name + // which ends with the unique CSI driver name. + // + // Objects are namespaced. + // + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // nodeTopology defines which nodes have access to the storage + // for which capacity was reported. If not set, the storage is + // not accessible from any node in the cluster. If empty, the + // storage is accessible from all nodes. This field is + // immutable. + // + // +optional + nodeTopology?: null | metav1.#LabelSelector @go(NodeTopology,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // storageClassName represents the name of the StorageClass that the reported capacity applies to. + // It must meet the same requirements as the name of a StorageClass + // object (non-empty, DNS subdomain). If that object no longer exists, + // the CSIStorageCapacity object is obsolete and should be removed by its + // creator. + // This field is immutable. + storageClassName: string @go(StorageClassName) @protobuf(3,bytes) + + // capacity is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // The semantic is currently (CSI spec 1.2) defined as: + // The available capacity, in bytes, of the storage that can be used + // to provision volumes. If not set, that information is currently + // unavailable. + // + // +optional + capacity?: null | resource.#Quantity @go(Capacity,*resource.Quantity) @protobuf(4,bytes,opt) + + // maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // This is defined since CSI spec 1.4.0 as the largest size + // that may be used in a + // CreateVolumeRequest.capacity_range.required_bytes field to + // create a volume with the same parameters as those in + // GetCapacityRequest. The corresponding value in the Kubernetes + // API is ResourceRequirements.Requests in a volume claim. + // + // +optional + maximumVolumeSize?: null | resource.#Quantity @go(MaximumVolumeSize,*resource.Quantity) @protobuf(5,bytes,opt) +} + +// CSIStorageCapacityList is a collection of CSIStorageCapacity objects. +#CSIStorageCapacityList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIStorageCapacity objects. + // +listType=map + // +listMapKey=name + items: [...#CSIStorageCapacity] @go(Items,[]CSIStorageCapacity) @protobuf(2,bytes,rep) +} diff --git a/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue new file mode 100644 index 0000000..083aa82 --- /dev/null +++ b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +// Package v1 is the v1 version of the API. +package v1 diff --git a/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue new file mode 100644 index 0000000..c4ce800 --- /dev/null +++ b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +#GroupName: "apiextensions.k8s.io" diff --git a/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue new file mode 100644 index 0000000..b938c8b --- /dev/null +++ b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue @@ -0,0 +1,513 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// ConversionStrategyType describes different conversion types. +#ConversionStrategyType: string // #enumConversionStrategyType + +#enumConversionStrategyType: + #NoneConverter | + #WebhookConverter + +// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces. +// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL. +// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`. For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`. This is discouraged. +#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io" + +// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged. +#NoneConverter: #ConversionStrategyType & "None" + +// WebhookConverter is a converter that calls to an external webhook to convert the CR. +#WebhookConverter: #ConversionStrategyType & "Webhook" + +// CustomResourceDefinitionSpec describes how a user wants their resource to appear +#CustomResourceDefinitionSpec: { + // group is the API group of the defined custom resource. + // The custom resources are served under `/apis//...`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + group: string @go(Group) @protobuf(1,bytes,opt) + + // names specify the resource and kind names for the custom resource. + names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt) + + // scope indicates whether the defined custom resource is cluster- or namespace-scoped. + // Allowed values are `Cluster` and `Namespaced`. + scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope) + + // versions is the list of all API versions of the defined custom resource. + // Version names are used to compute the order in which served versions are listed in API discovery. + // If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered + // lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), + // then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first + // by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing + // major version, then minor version. An example sorted list of versions: + // v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10. + versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep) + + // conversion defines conversion settings for the CRD. + // +optional + conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt) + + // preserveUnknownFields indicates that object fields which are not specified + // in the OpenAPI schema should be preserved when persisting to storage. + // apiVersion, kind, metadata and known fields inside metadata are always preserved. + // This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. + // See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details. + // +optional + preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt) +} + +// CustomResourceConversion describes how to convert different versions of a CR. +#CustomResourceConversion: { + // strategy specifies how custom resources are converted between versions. Allowed values are: + // - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource. + // - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information + // is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set. + strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes) + + // webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`. + // +optional + webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt) +} + +// WebhookConversion describes how to call a conversion webhook +#WebhookConversion: { + // clientConfig is the instructions for how to call the webhook if strategy is `Webhook`. + // +optional + clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes) + + // conversionReviewVersions is an ordered list of preferred `ConversionReview` + // versions the Webhook expects. The API server will use the first version in + // the list which it supports. If none of the versions specified in this list + // are supported by API server, conversion will fail for the custom resource. + // If a persisted Webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail. + conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep) +} + +// WebhookClientConfig contains the information to make a TLS connection with the webhook. +#WebhookClientConfig: { + // url gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // service is a reference to the service for this webhook. Either + // service or url must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // namespace is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // name is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // path is an optional URL path at which the webhook will be contacted. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // port is an optional service port at which the webhook will be contacted. + // `port` should be a valid port number (1-65535, inclusive). + // Defaults to 443 for backward compatibility. + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// CustomResourceDefinitionVersion describes a version for CRD. +#CustomResourceDefinitionVersion: { + // name is the version name, e.g. “v1”, “v2beta1”, etc. + // The custom resources are served under this version at `/apis///...` if `served` is true. + name: string @go(Name) @protobuf(1,bytes,opt) + + // served is a flag enabling/disabling this version from being served via REST APIs + served: bool @go(Served) @protobuf(2,varint,opt) + + // storage indicates this version should be used when persisting custom resources to storage. + // There must be exactly one version with storage=true. + storage: bool @go(Storage) @protobuf(3,varint,opt) + + // deprecated indicates this version of the custom resource API is deprecated. + // When set to true, API requests to this version receive a warning header in the server response. + // Defaults to false. + // +optional + deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt) + + // deprecationWarning overrides the default warning returned to API clients. + // May only be set when `deprecated` is true. + // The default warning indicates this version is deprecated and recommends use + // of the newest served version of equal or greater stability, if one exists. + // +optional + deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt) + + // schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource. + // +optional + schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt) + + // subresources specify what subresources this version of the defined custom resource have. + // +optional + subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt) + + // additionalPrinterColumns specifies additional columns returned in Table output. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. + // If no columns are specified, a single column displaying the age of the custom resource is used. + // +optional + additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep) +} + +// CustomResourceColumnDefinition specifies a column for server side printing. +#CustomResourceColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) @protobuf(1,bytes,opt) + + // type is an OpenAPI type definition for this column. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + type: string @go(Type) @protobuf(2,bytes,opt) + + // format is an optional OpenAPI type definition for this column. The 'name' format is applied + // to the primary identifier column to assist in clients identifying column is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + // +optional + format?: string @go(Format) @protobuf(3,bytes,opt) + + // description is a human readable description of this column. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a priority greater than 0. + // +optional + priority?: int32 @go(Priority) @protobuf(5,bytes,opt) + + // jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against + // each custom resource to produce the value for this column. + jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt) +} + +// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition +#CustomResourceDefinitionNames: { + // plural is the plural name of the resource to serve. + // The custom resources are served under `/apis///.../`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + // Must be all lowercase. + plural: string @go(Plural) @protobuf(1,bytes,opt) + + // singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`. + // +optional + singular?: string @go(Singular) @protobuf(2,bytes,opt) + + // shortNames are short names for the resource, exposed in API discovery documents, + // and used by clients to support invocations like `kubectl get `. + // It must be all lowercase. + // +optional + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt) + + // kind is the serialized kind of the resource. It is normally CamelCase and singular. + // Custom resource instances will use this value as the `kind` attribute in API calls. + kind: string @go(Kind) @protobuf(4,bytes,opt) + + // listKind is the serialized kind of the list for this resource. Defaults to "`kind`List". + // +optional + listKind?: string @go(ListKind) @protobuf(5,bytes,opt) + + // categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). + // This is published in API discovery documents, and used by clients to support invocations like + // `kubectl get all`. + // +optional + categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep) +} + +// ResourceScope is an enum defining the different scopes available to a custom resource +#ResourceScope: string // #enumResourceScope + +#enumResourceScope: + #ClusterScoped | + #NamespaceScoped + +#ClusterScoped: #ResourceScope & "Cluster" +#NamespaceScoped: #ResourceScope & "Namespaced" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type +#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType + +#enumCustomResourceDefinitionConditionType: + #Established | + #NamesAccepted | + #NonStructuralSchema | + #Terminating | + #KubernetesAPIApprovalPolicyConformant + +// Established means that the resource has become active. A resource is established when all names are +// accepted without a conflict for the first time. A resource stays established until deleted, even during +// a later NamesAccepted due to changed names. Note that not all names can be changed. +#Established: #CustomResourceDefinitionConditionType & "Established" + +// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in +// the group and are therefore accepted. +#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted" + +// NonStructuralSchema means that one or more OpenAPI schema is not structural. +// +// A schema is structural if it specifies types for all values, with the only exceptions of those with +// - x-kubernetes-int-or-string: true — for fields which can be integer or string +// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values +// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions +// specified under allOf, anyOf, oneOf or not. +// +// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be +// available for non-structural CRDs: +// - pruning +// - defaulting +// - read-only +// - OpenAPI publishing +// - webhook conversion +#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema" + +// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up. +#Terminating: #CustomResourceDefinitionConditionType & "Terminating" + +// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved. For CRDs +// outside those groups, this condition will not be set. For CRDs inside those groups, the condition will +// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false. +// See https://github.com/kubernetes/enhancements/pull/1111 for more details. +#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant" + +// CustomResourceDefinitionCondition contains details for the current condition of this pod. +#CustomResourceDefinitionCondition: { + // type is the type of the condition. Types include Established, NamesAccepted and Terminating. + type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType) + + // status is the status of the condition. + // Can be True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastTransitionTime last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is a unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition +#CustomResourceDefinitionStatus: { + // conditions indicate state for particular aspects of a CustomResourceDefinition + // +optional + // +listType=map + // +listMapKey=type + conditions: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt) + + // acceptedNames are the names that are actually being used to serve discovery. + // They may be different than the names in spec. + // +optional + acceptedNames: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt) + + // storedVersions lists all versions of CustomResources that were ever persisted. Tracking these + // versions allows a migration path for stored versions in etcd. The field is mutable + // so a migration controller can finish a migration to another version (ensuring + // no old objects are left in storage), and then remove the rest of the + // versions from this list. + // Versions may not be removed from `spec.versions` while they exist in this list. + // +optional + storedVersions: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep) +} + +#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io" + +// CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format +// <.spec.name>.<.spec.group>. +#CustomResourceDefinition: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec describes how the user wants the resources to appear + spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt) + + // status indicates the actual state of the CustomResourceDefinition + // +optional + status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CustomResourceDefinitionList is a list of CustomResourceDefinition objects. +#CustomResourceDefinitionList: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items list individual CustomResourceDefinition objects + items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep) +} + +// CustomResourceValidation is a list of validation methods for CustomResources. +#CustomResourceValidation: { + // openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning. + // +optional + openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt) +} + +// CustomResourceSubresources defines the status and scale subresources for CustomResources. +#CustomResourceSubresources: { + // status indicates the custom resource should serve a `/status` subresource. + // When enabled: + // 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. + // 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object. + // +optional + status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt) + + // scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object. + // +optional + scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt) +} + +// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. +// Status is represented by the `.status` JSON path inside of a CustomResource. When set, +// * exposes a /status subresource for the custom resource +// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza +// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza +#CustomResourceSubresourceStatus: { +} + +// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources. +#CustomResourceSubresourceScale: { + // specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.spec`. + // If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET. + specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes) + + // statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status`. + // If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource + // will default to 0. + statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt) + + // labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status` or `.spec`. + // Must be set to work with HorizontalPodAutoscaler. + // The field pointed by this JSON path must be a string field (not a complex selector struct) + // which contains a serialized label selector in string form. + // More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource + // If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` + // subresource will default to the empty string. + // +optional + labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt) +} + +// ConversionReview describes a conversion request/response. +#ConversionReview: { + metav1.#TypeMeta + + // request describes the attributes for the conversion request. + // +optional + request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt) + + // response describes the attributes for the conversion response. + // +optional + response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt) +} + +// ConversionRequest describes the conversion request parameters. +#ConversionRequest: { + // uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are + // otherwise identical (parallel requests, etc). + // The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1" + desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes) + + // objects is the list of custom resource objects to be converted. + objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep) +} + +// ConversionResponse describes a conversion response. +#ConversionResponse: { + // uid is an identifier for the individual request/response. + // This should be copied over from the corresponding `request.uid`. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty. + // The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list + // must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace). + // The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored. + convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep) + + // result contains the result of conversion with extra details if the conversion failed. `result.status` determines if + // the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the + // conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set + // `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` + // will be used to construct an error message for the end user. + result: metav1.#Status @go(Result) @protobuf(3,bytes) +} diff --git a/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue new file mode 100644 index 0000000..19f42c1 --- /dev/null +++ b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue @@ -0,0 +1,317 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation. +// +enum +#FieldValueErrorReason: string // #enumFieldValueErrorReason + +#enumFieldValueErrorReason: + #FieldValueRequired | + #FieldValueDuplicate | + #FieldValueInvalid | + #FieldValueForbidden + +// FieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired" + +// FieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate" + +// FieldValueInvalid is used to report malformed values (e.g. failed regex +// match, too long, out of bounds). +#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid" + +// FieldValueForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). +#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden" + +// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/). +#JSONSchemaProps: { + id?: string @go(ID) @protobuf(1,bytes,opt) + $schema?: #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema) + $ref?: null | string @go(Ref,*string) @protobuf(3,bytes,opt,name=ref) + description?: string @go(Description) @protobuf(4,bytes,opt) + type?: string @go(Type) @protobuf(5,bytes,opt) + + // format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated: + // + // - bsonobjectid: a bson object ID, i.e. a 24 characters hex string + // - uri: an URI as parsed by Golang net/url.ParseRequestURI + // - email: an email address as parsed by Golang net/mail.ParseAddress + // - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. + // - ipv4: an IPv4 IP as parsed by Golang net.ParseIP + // - ipv6: an IPv6 IP as parsed by Golang net.ParseIP + // - cidr: a CIDR as parsed by Golang net.ParseCIDR + // - mac: a MAC address as parsed by Golang net.ParseMAC + // - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" + // - isbn10: an ISBN10 number string like "0321751043" + // - isbn13: an ISBN13 number string like "978-0321751041" + // - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in + // - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$ + // - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ + // - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" + // - byte: base64 encoded binary data + // - password: any kind of string + // - date: a date string like "2006-01-02" as defined by full-date in RFC3339 + // - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format + // - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. + format?: string @go(Format) @protobuf(6,bytes,opt) + title?: string @go(Title) @protobuf(7,bytes,opt) + + // default is a default value for undefined object fields. + // Defaulting is a beta feature under the CustomResourceDefaulting feature gate. + // Defaulting requires spec.preserveUnknownFields to be false. + default?: null | #JSON @go(Default,*JSON) @protobuf(8,bytes,opt) + maximum?: null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt) + exclusiveMaximum?: bool @go(ExclusiveMaximum) @protobuf(10,bytes,opt) + minimum?: null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt) + exclusiveMinimum?: bool @go(ExclusiveMinimum) @protobuf(12,bytes,opt) + maxLength?: null | int64 @go(MaxLength,*int64) @protobuf(13,bytes,opt) + minLength?: null | int64 @go(MinLength,*int64) @protobuf(14,bytes,opt) + pattern?: string @go(Pattern) @protobuf(15,bytes,opt) + maxItems?: null | int64 @go(MaxItems,*int64) @protobuf(16,bytes,opt) + minItems?: null | int64 @go(MinItems,*int64) @protobuf(17,bytes,opt) + uniqueItems?: bool @go(UniqueItems) @protobuf(18,bytes,opt) + multipleOf?: null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt) + enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep) + maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt) + minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt) + required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep) + items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt) + allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep) + oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep) + anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep) + not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt) + properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep) + additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt) + patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep) + dependencies?: #JSONSchemaDependencies @go(Dependencies) @protobuf(32,bytes,opt) + additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt) + definitions?: #JSONSchemaDefinitions @go(Definitions) @protobuf(34,bytes,opt) + externalDocs?: null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt) + example?: null | #JSON @go(Example,*JSON) @protobuf(36,bytes,opt) + nullable?: bool @go(Nullable) @protobuf(37,bytes,opt) + + // x-kubernetes-preserve-unknown-fields stops the API server + // decoding step from pruning fields which are not specified + // in the validation schema. This affects fields recursively, + // but switches back to normal pruning behaviour if nested + // properties or additionalProperties are specified in the schema. + // This can either be true or undefined. False is forbidden. + "x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields) + + // x-kubernetes-embedded-resource defines that the value is an + // embedded Kubernetes runtime.Object, with TypeMeta and + // ObjectMeta. The type must be object. It is allowed to further + // restrict the embedded object. kind, apiVersion and metadata + // are validated automatically. x-kubernetes-preserve-unknown-fields + // is allowed to be true, but does not have to be if the object + // is fully specified (up to kind, apiVersion, metadata). + "x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource) + + // x-kubernetes-int-or-string specifies that this value is + // either an integer or a string. If this is true, an empty + // type is allowed and type as child of anyOf is permitted + // if following one of the following patterns: + // + // 1) anyOf: + // - type: integer + // - type: string + // 2) allOf: + // - anyOf: + // - type: integer + // - type: string + // - ... zero or more + "x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString) + + // x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used + // as the index of the map. + // + // This tag MUST only be used on lists that have the "x-kubernetes-list-type" + // extension set to "map". Also, the values specified for this attribute must + // be a scalar typed field of the child structure (no nesting is supported). + // + // The properties specified must either be required or have a default value, + // to ensure those properties are present for all list items. + // + // +optional + "x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys) + + // x-kubernetes-list-type annotates an array to further describe its topology. + // This extension must only be used on lists and may have 3 possible values: + // + // 1) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic lists will be entirely replaced when updated. This extension + // may be used on any type of list (struct, scalar, ...). + // 2) `set`: + // Sets are lists that must not have multiple items with the same value. Each + // value must be a scalar, an object with x-kubernetes-map-type `atomic` or an + // array with x-kubernetes-list-type `atomic`. + // 3) `map`: + // These lists are like maps in that their elements have a non-index key + // used to identify them. Order is preserved upon merge. The map tag + // must only be used on a list with elements of type object. + // Defaults to atomic for arrays. + // +optional + "x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType) + + // x-kubernetes-map-type annotates an object to further describe its topology. + // This extension must only be used when type is object and may have 2 possible values: + // + // 1) `granular`: + // These maps are actual maps (key-value pairs) and each fields are independent + // from each other (they can each be manipulated by separate actors). This is + // the default behaviour for all maps. + // 2) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic maps will be entirely replaced when updated. + // +optional + "x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType) + + // x-kubernetes-validations describes a list of validation rules written in the CEL expression language. + // This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled. + // +patchMergeKey=rule + // +patchStrategy=merge + // +listType=map + // +listMapKey=rule + "x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations) +} + +// ValidationRules describes a list of validation rules written in the CEL expression language. +#ValidationRules: [...#ValidationRule] + +// ValidationRule describes a validation rule written in the CEL expression language. +#ValidationRule: { + // Rule represents the expression which will be evaluated by CEL. + // ref: https://github.com/google/cel-spec + // The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. + // The `self` variable in the CEL expression is bound to the scoped value. + // Example: + // - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"} + // + // If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable + // via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as + // absent fields in CEL expressions. + // If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map + // are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map + // are accessible via CEL macros and functions such as `self.all(...)`. + // If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and + // functions. + // If the Rule is scoped to a scalar, `self` is bound to the scalar value. + // Examples: + // - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"} + // - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"} + // - Rule scoped to a string value: {"rule": "self.startsWith('kube')"} + // + // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the + // object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible. + // + // Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL + // expressions. This includes: + // - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. + // - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as: + // - A schema with no type and x-kubernetes-preserve-unknown-fields set to true + // - An array where the items schema is of an "unknown type" + // - An object where the additionalProperties schema is of an "unknown type" + // + // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. + // Accessible property names are escaped according to the following rules when accessed in the expression: + // - '__' escapes to '__underscores__' + // - '.' escapes to '__dot__' + // - '-' escapes to '__dash__' + // - '/' escapes to '__slash__' + // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: + // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", + // "import", "let", "loop", "package", "namespace", "return". + // Examples: + // - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"} + // - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"} + // - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"} + // + // Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. + // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: + // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and + // non-intersecting elements in `Y` are appended, retaining their partial order. + // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values + // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with + // non-intersecting keys are appended, retaining their partial order. + rule: string @go(Rule) @protobuf(1,bytes,opt) + + // Message represents the message displayed when validation fails. The message is required if the Rule contains + // line breaks. The message must not contain line breaks. + // If unset, the message is "failed rule: {Rule}". + // e.g. "must be a URL with the host matching spec.host" + message?: string @go(Message) @protobuf(2,bytes,opt) + + // MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + // Since messageExpression is used as a failure message, it must evaluate to a string. + // If both message and messageExpression are present on a rule, then messageExpression will be used if validation + // fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + // messageExpression has access to all the same variables as the rule; the only difference is the return type. + // Example: + // "x must be less than max ("+string(self.max)+")" + // +optional + messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt) + + // reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule. + // The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule. + // The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate". + // If not set, default to use "FieldValueInvalid". + // All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid. + // +optional + reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt) + + // fieldPath represents the field path returned when the validation fails. + // It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field. + // e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo` + // If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList` + // It does not support list numeric index. + // It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info. + // Numeric index of array is not supported. + // For field name which contains special characters, use `['specialName']` to refer the field name. + // e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']` + // +optional + fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt) +} + +// JSON represents any valid JSON value. +// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil. +#JSON: _ + +// JSONSchemaURL represents a schema url. +#JSONSchemaURL: string + +// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps +// or an array of JSONSchemaProps. Mainly here for serialization purposes. +#JSONSchemaPropsOrArray: _ + +// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. +// Defaults to true for the boolean property. +#JSONSchemaPropsOrBool: _ + +// JSONSchemaDependencies represent a dependencies property. +#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray} + +// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array. +#JSONSchemaPropsOrStringArray: _ + +// JSONSchemaDefinitions contains the models explicitly defined in this spec. +#JSONSchemaDefinitions: {[string]: #JSONSchemaProps} + +// ExternalDocumentation allows referencing an external resource for extended documentation. +#ExternalDocumentation: { + description?: string @go(Description) @protobuf(1,bytes,opt) + url?: string @go(URL) @protobuf(2,bytes,opt) +} diff --git a/templates/certificates.cue b/templates/certificates.cue new file mode 100644 index 0000000..8402da9 --- /dev/null +++ b/templates/certificates.cue @@ -0,0 +1,63 @@ +package templates + +import ( + v1 "cert-manager.io/certificate/v1" + issuerv1 "cert-manager.io/issuer/v1" + timoniv1 "timoni.sh/core/v1alpha1" +) + +#Certificate: v1.#Certificate & { + #config: #Config + metadata: #config.metadata + spec: #config.certificate & { + issuerRef: { + group: "cert-manager.io" + kind: "Issuer" + } + } +} + +#JksSecret: timoniv1.#ImmutableConfig & { + #config: #Config + #Kind: timoniv1.#SecretKind + #Meta: { + name: "\(#config.metadata.name)-jks-pwd" + #Version: #config.moduleVersion + namespace: #config.metadata.namespace + annotations: #config.metadata.annotations + } + #Data: { + "password-jks": "changeme" // it's fine, secret don't add any security here + } +} + +#JKS: v1.#Certificate & { + #config: #Config + #secretName: string + metadata: { + name: "\(#config.metadata.name)-jks" + namespace: #config.metadata.namespace + labels: #config.metadata.labels + } + spec: #config.jks & { + issuerRef: { + group: "cert-manager.io" + kind: "Issuer" + } + keystores: { + jks: { + create: true + passwordSecretRef: { + key: "password-jks" + name: #secretName + } + } + } + } +} + +#Issuer: issuerv1.#Issuer & { + #config: #Config + metadata: #config.metadata + spec: #config.issuer +} diff --git a/templates/config.cue b/templates/config.cue index 0e78460..51fcaec 100644 --- a/templates/config.cue +++ b/templates/config.cue @@ -1,10 +1,19 @@ package templates import ( - corev1 "k8s.io/api/core/v1" timoniv1 "timoni.sh/core/v1alpha1" + corev1 "k8s.io/api/core/v1" + certv1 "cert-manager.io/certificate/v1" + issuerv1 "cert-manager.io/issuer/v1" + policyv1 "k8s.io/api/policy/v1" + netv1 "k8s.io/api/networking/v1" ) +#secretReference: { + name: string + key: string +} + // Config defines the schema and defaults for the Instance values. #Config: { // The kubeVersion is a required field, set at apply-time @@ -38,33 +47,12 @@ import ( // The image allows setting the container image repository, // tag, digest and pull policy. - image: timoniv1.#Image & { - repository: *"docker.io/nginx" | string - tag: *"1-alpine" | string - digest: *"" | string - } - - // The pod allows setting the Kubernetes Pod annotations, image pull secrets, - // affinity and anti-affinity rules. By default, pods are scheduled on Linux nodes. - pod: { - annotations?: timoniv1.#Annotations - - affinity: *{ - nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [{ - matchExpressions: [{ - key: corev1.#LabelOSStable - operator: "In" - values: ["linux"] - }] - }] - } | corev1.#Affinity - - imagePullSecrets?: [...timoniv1.#ObjectReference] - } + // The default image repository and tag is set in `values.cue`. + image!: timoniv1.#Image // The resources allows setting the container resource requirements. // By default, the container requests 10m CPU and 32Mi memory. - resources: timoniv1.#ResourceRequirements & { + resources: timoniv1.#ResourceRequirements | *{ requests: { cpu: *"10m" | timoniv1.#CPUQuantity memory: *"32Mi" | timoniv1.#MemoryQuantity @@ -77,31 +65,187 @@ import ( // The securityContext allows setting the container security context. // By default, the container is denined privilege escalation. - securityContext: corev1.#SecurityContext & { + + securityContext: corev1.#SecurityContext | *{ allowPrivilegeEscalation: *false | true - privileged: *false | true capabilities: { drop: *["ALL"] | [string] - add: *["CHOWN", "NET_BIND_SERVICE", "SETGID", "SETUID"] | [string] + } + privileged: *false | true + readOnlyRootFilesystem: *false | true + runAsNonRoot: false | *true + seccompProfile: { + type: "RuntimeDefault" } } // The service allows setting the Kubernetes Service annotations and port. - // By default, the HTTP port is 80. + // By default, the HTTP port is 8080. service: { annotations?: timoniv1.#Annotations + https: true | *false + if https { + port: *8443 | int & >0 & <=65535 + } + if !https { + port: *8080 | int & >0 & <=65535 + } + } + + // Pod optional settings. + podAnnotations?: {[string]: string} + podSecurityContext?: corev1.#PodSecurityContext + imagePullSecrets?: [...timoniv1.ObjectReference] + tolerations?: [...corev1.#Toleration] + affinity?: corev1.#Affinity + topologySpreadConstraints?: [...corev1.#TopologySpreadConstraint] + + // App settings. + command: [...string] | *["/opt/keycloak/bin/kc.sh", "start"] + + serviceAccountCreate: *false | bool + serviceAccount: corev1.#ServiceAccount + + certificateCreate: *false | bool + // Web certificate + certificate: certv1.#CertificateSpec & { + dnsNames: *["localhost:\( service.port )"] | [...string] + issuerRef: name: *"\(metadata.name)" | string + secretName: "\(metadata.name)-cert" + } + + jksCreate: *false | bool + // Requird to securize Jgroup in HA + jks: certv1.#CertificateSpec & { + commonName: *"infinispan-jks" | string + issuerRef: name: *"\(metadata.name)" | string + secretName: "\(metadata.name)-jks" + } + + // Issuer used to generate certificate & jks + issuerCreate: *false | bool + issuer: issuerv1.#IssuerSpec + + pdbCreate: bool | *(replicas > 1) + pdbSpec: policyv1.#PodDisruptionBudgetSpec & { + minAvailable: *1 | int & >0 & <=65535 + } - port: *80 | int & >0 & <=65535 + networkPolicyCreate: *false | bool + networkPolicyRules: [... netv1.#NetworkPolicyIngressRule] + + // Setup distibuing cache for HA + cacheIspn: bool | *(replicas > 1) + + envs: { + KC_DB?: "dev-file" | "dev-mem" | "postgres" | "mariadb" | "mssql" | "mysql" | "oracle" + KC_HEALTH_ENABLED: true + KC_HTTP_ENABLED: *true | false + KC_HTTP_PORT?: int & >0 & <=65535 + KC_HTTPS_PORT?: int & >0 & <=65535 + KC_HOSTNAME_PORT?: int & >0 & <=65535 + KC_HOSTNAME?: string + KC_HOSTNAME_ADMIN?: string + KC_HOSTNAME_URL?: string + KC_HOSTNAME_ADMIN_URL?: string + KC_HOSTNAME_PATH?: string + KC_HOSTNAME_STRICT?: true | false + KC_HOSTNAME_STRICT_HTTPS?: true | false + KC_HOSTNAME_STRICT_BACKCHANNEL?: true | false + KC_PROXY?: "none" | "edge" | "reencrypt" | "passthrough" + KC_METRICS_ENABLED?: true | false + KEYCLOAK_ADMIN: *"admin" | string | #secretReference + KEYCLOAK_ADMIN_PASSWORD: string | #secretReference + KC_DB_URL?: string | #secretReference + KC_DB_USERNAME?: string | #secretReference + KC_DB_PASSWORD?: string | #secretReference + KC_CACHE?: "local" | "ispn" + KC_CACHE_CONFIG_FILE?: string + KC_CACHE_STACK: *"kubernetes" | "tcp" | "udp" | "ec2" | "azure" | "google" + JAVA_OPTS_APPEND?: string + KC_LOG_LEVEL?: string + KC_LOG_CONSOLE_OUTPUT?: string + KC_LOG_CONSOLE_FORMAT?: string + if certificateCreate { + KC_HTTPS_CERTIFICATE_FILE: *"/certs/tls.crt" | string + KC_HTTPS_CERTIFICATE_KEY_FILE: *"/certs/tls.key" | string + } + if !certificateCreate { + KC_HTTPS_CERTIFICATE_FILE?: string + KC_HTTPS_CERTIFICATE_KEY_FILE?: string + } + + } + + fileDb: false | *(envs.KC_DB == "dev-file" | envs.KC_DB == _|_) + + jgroups: { + name: *"jgroups" | string + port: *7800 | int & >0 & <=65535 } } // Instance takes the config values and outputs the Kubernetes objects. #Instance: { - config: #Config - + config: #Config & { + if config.cacheIspn { + envs: { + KC_CACHE_CONFIG_FILE: string | *"cache-ispn.xml" + KC_CACHE: "local" | *"ispn" + JAVA_OPTS_APPEND: *"-Djgroups.dns.query=\( config.metadata.name )-\( config.jgroups.name )" | string + } + } + if !config.cacheIspn { + envs: { + KC_CACHE: *"local" | "ispn" + } + } + } objects: { - deploy: #Deployment & {#config: config} - service: #Service & {#config: config} + if config.serviceAccountCreate { + sa: #ServiceAccount & {#config: config} + } + if config.certificateCreate { + cert: #Certificate & {#config: config} + } + if config.jksCreate { + // Next version of certmanager the secret should optional and can be remove + // https://github.com/cert-manager/cert-manager/pull/6657#discussion_r1464958155 + jksPassword: #JksSecret & {#config: config} + jks: #JKS & { + #config: config + #secretName: jksPassword.metadata.name + } + } + if config.issuerCreate { + issuer: #Issuer & {#config: config} + } + svcHttp: #ServiceHttp & {#config: config} + if config.cacheIspn { + svcJgroup: #ServiceJgroup & {#config: config} + cm: #ConfigMapIspn & {#config: config} + } + + if config.pdbCreate { + pdb: #PodDisruptionBudget & {#config: config} + } + + if config.networkPolicyCreate { + networkPolicy: #NetworkPolicy & { + #config: config + } + } + + deploy: #Deployment & { + #config: config + #cmName: *objects.cm.metadata.name | "" + if objects.cert.spec.secretName != _|_ { + #certSecretName: objects.cert.spec.secretName + } + if objects.jks.spec.secretName != _|_ { + #jksSecretName: objects.jks.spec.secretName + } + } } } diff --git a/templates/configmap.cue b/templates/configmap.cue new file mode 100644 index 0000000..7e9ac39 --- /dev/null +++ b/templates/configmap.cue @@ -0,0 +1,194 @@ +package templates + +import ( + timoniv1 "timoni.sh/core/v1alpha1" +) + +#ConfigMapIspn: timoniv1.#ImmutableConfig & { + #config: #Config + #Kind: timoniv1.#ConfigMapKind + #Meta: #config.metadata + #Data: { + if #config.jksCreate { + "cache-ispn.xml": """ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + """ + } + if !#config.jksCreate { + "cache-ispn.xml": """ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + """ + } + } +} diff --git a/templates/deployment.cue b/templates/deployment.cue index c188152..7e9e737 100644 --- a/templates/deployment.cue +++ b/templates/deployment.cue @@ -6,61 +6,174 @@ import ( ) #Deployment: appsv1.#Deployment & { - #config: #Config - apiVersion: "apps/v1" - kind: "Deployment" - metadata: #config.metadata + #config: #Config + #cmName: string + #certSecretName: string + #jksSecretName: string + apiVersion: "apps/v1" + kind: "Deployment" + metadata: #config.metadata spec: appsv1.#DeploymentSpec & { replicas: #config.replicas selector: matchLabels: #config.selector.labels template: { metadata: { labels: #config.selector.labels - if #config.pod.annotations != _|_ { - annotations: #config.pod.annotations + if #config.podAnnotations != _|_ { + annotations: #config.podAnnotations } } spec: corev1.#PodSpec & { + if #config.serviceAccountCreate { + serviceAccountName: *#config.serviceAccount.metadata.name | #config.metadata.name + } + if !#config.serviceAccountCreate { + serviceAccountName: *#config.serviceAccount.metadata.name | "default" + } + containers: [ { name: #config.metadata.name + command: #config.command image: #config.image.reference imagePullPolicy: #config.image.pullPolicy + env: [for k, v in #config.envs if v != _|_ && v.name == _|_ { + name: "\( k )" + value: "\( v )" + }, + for k, v in #config.envs if v != _|_ && v.name != _|_ { + name: "\( k )" + valueFrom: + secretKeyRef: { + name: "\( v.name )" + key: "\( v.key )" + }}] ports: [ { name: "http" - containerPort: 80 + containerPort: *#config.envs.KC_HTTP_PORT | 8080 protocol: "TCP" }, + if #config.service.https { + { + name: "https" + containerPort: *#config.envs.KC_HTTPS_PORT | 8443 + protocol: "TCP" + } + }, + if #config.cacheIspn { + { + name: "jgroups" + containerPort: 7800 + protocol: "TCP" + } + }, ] - readinessProbe: { + startupProbe: { + httpGet: { + path: "/health" + port: "http" + scheme: "HTTP" + } + failureThreshold: 30 + periodSeconds: 15 httpGet: { - path: "/" - port: "http" + path: "/health" + port: "http" + scheme: "HTTP" } - initialDelaySeconds: 5 - periodSeconds: 10 } livenessProbe: { - tcpSocket: { - port: "http" + successThreshold: 1 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 3 + httpGet: { + path: "/health" + port: "http" + scheme: "HTTP" + } + } + readinessProbe: { + failureThreshold: 3 + successThreshold: 1 + timeoutSeconds: 10 + periodSeconds: 15 + httpGet: { + path: "/health" + port: "http" + scheme: "HTTP" + } + } + volumeMounts: [ + if #config.cacheIspn { + { + mountPath: "/opt/keycloak/conf" + name: "cache" + } + }, + if #certSecretName != _|_ { + { + mountPath: "/certs" + name: "certs" + } + }, + if #jksSecretName != _|_ { + { + mountPath: "/jks" + name: "jks" + } + }, + ] + resources: #config.resources + securityContext: #config.securityContext + }, + ] + volumes: [ + if #certSecretName != _|_ { + { + name: "certs" + secret: { + secretName: #certSecretName } - initialDelaySeconds: 5 - periodSeconds: 5 } - if #config.resources != _|_ { - resources: #config.resources + }, + if #jksSecretName != _|_ { + { + name: "jks" + secret: { + secretName: #jksSecretName + } } - if #config.securityContext != _|_ { - securityContext: #config.securityContext + }, + if #config.cacheIspn { + { + name: "cache" + configMap: { + name: #cmName + items: [{ + key: "cache-ispn.xml" + path: "cache-ispn.xml" + }] + } } }, ] - if #config.pod.affinity != _|_ { - affinity: #config.pod.affinity + if #config.podSecurityContext != _|_ { + securityContext: #config.podSecurityContext + } + if #config.topologySpreadConstraints != _|_ { + topologySpreadConstraints: #config.topologySpreadConstraints + } + if #config.affinity != _|_ { + affinity: #config.affinity + } + if #config.tolerations != _|_ { + tolerations: #config.tolerations } - if #config.pod.imagePullSecrets != _|_ { - imagePullSecrets: #config.pod.imagePullSecrets + if #config.imagePullSecrets != _|_ { + imagePullSecrets: #config.imagePullSecrets } } } diff --git a/templates/networking.cue b/templates/networking.cue new file mode 100644 index 0000000..93766c6 --- /dev/null +++ b/templates/networking.cue @@ -0,0 +1,40 @@ +package templates + +import ( + netv1 "k8s.io/api/networking/v1" +) + +#NetworkPolicy: netv1.#NetworkPolicy & { + apiVersion: "networking.k8s.io/v1" + kind: "NetworkPolicy" + #config: #Config + metadata: #config.metadata + spec: netv1.#NetworkPolicySpec & { + policyTypes: ["Ingress"] + podSelector: { + matchLabels: { + #config.selector.labels + }} + ingress: [ + for v in #config.networkPolicyRules { + v + }, + if #config.cacheIspn { + { + from: [{ + podSelector: { + matchLabels: { + #config.selector.labels + } + } + }, + ] + ports: [{ + protocol: "TCP" + port: #config.jgroups.port + }, + ]} + }, + ] + } +} diff --git a/templates/poddisruptionbudget.cue b/templates/poddisruptionbudget.cue new file mode 100644 index 0000000..0ef2d5b --- /dev/null +++ b/templates/poddisruptionbudget.cue @@ -0,0 +1,19 @@ +package templates + +import ( + policyv1 "k8s.io/api/policy/v1" +) + +#PodDisruptionBudget: policyv1.#PodDisruptionBudget & { + apiVersion: "policy/v1" + kind: "PodDisruptionBudget" + #config: #Config + metadata: #config.metadata + spec: #config.pdbSpec & { + + selector: { + matchLabels: { + #config.selector.labels + }} + } +} diff --git a/templates/service.cue b/templates/service.cue index e6dbe5c..eed0acb 100644 --- a/templates/service.cue +++ b/templates/service.cue @@ -8,19 +8,60 @@ import ( #config: #Config apiVersion: "v1" kind: "Service" - metadata: #config.metadata - if #config.service.annotations != _|_ { - metadata: annotations: #config.service.annotations + metadata: { + namespace: #config.metadata.namespace + labels: #config.metadata.labels + if #config.service.annotations != _|_ { + metadata: annotations: #config.service.annotations + } } spec: corev1.#ServiceSpec & { type: corev1.#ServiceTypeClusterIP selector: #config.selector.labels + } +} + +#ServiceHttp: #Service & { + #config: #Config + metadata: { + name: #config.metadata.name + } + spec: { + ports: [ + if !#config.service.https { + { + name: "http" + appProtocol: "http" + port: #config.service.port + protocol: "TCP" + targetPort: "http" + }, + }, + if #config.service.https { + { + name: "https" + appProtocol: "https" + port: #config.service.port + protocol: "TCP" + targetPort: "https" + } + } + ] + } +} + +#ServiceJgroup: #Service & { + #config: #Config + metadata: { + name: "\( #config.metadata.name )-\( #config.jgroups.name )" + } + spec: { ports: [ { - port: #config.service.port + name: "jgroups" + port: #config.jgroups.port protocol: "TCP" - name: "http" - targetPort: name + targetPort: "jgroups" }, ] } diff --git a/templates/serviceaccount.cue b/templates/serviceaccount.cue new file mode 100644 index 0000000..26174c9 --- /dev/null +++ b/templates/serviceaccount.cue @@ -0,0 +1,21 @@ +package templates + +import ( + corev1 "k8s.io/api/core/v1" +) + +#ServiceAccount: corev1.#ServiceAccount & { + #config: #Config + #config.serviceAccount + apiVersion: "v1" + kind: "ServiceAccount" + + metadata: { + name: *#config.serviceAccount.metadata.name | #config.metadata.name + namespace: #config.metadata.namespace + labels: #config.metadata.labels + if #config.metadata.annotations != _|_ { + annotations: (#config & #config.serviceAccount).metadata.annotations + } + } +} diff --git a/test/certificate-values.cue b/test/certificate-values.cue new file mode 100644 index 0000000..2c77248 --- /dev/null +++ b/test/certificate-values.cue @@ -0,0 +1,54 @@ +// Https with cert manager + +@if(!debug) + +package main + +// Defaults +values: { + + replicas: 2 + image: { + repository: "quay.io/keycloak/keycloak" + digest: "sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a" + tag: "23.0" + } + + metadata: { + annotations: { + custom_annotation: "sleep" + } + } + + service: https: true + + issuerCreate: true + jksCreate: true + certificateCreate: true + networkPolicyCreate: true + + issuer: { + selfSigned: {} + } + + certificate: { + duration: "2160h0m0s" + renewBefore: "360h0m0s" + subject: organizations: ["zelros.com"] + privateKey: { + algorithm: "RSA" + encoding: "PKCS1" + size: 4096 + } + } + + envs: { + KEYCLOAK_ADMIN: "admin" + KEYCLOAK_ADMIN_PASSWORD: "admin" + KC_DB_USERNAME: "admin" + KC_DB_PASSWORD: "admin" + KC_HOSTNAME_STRICT: false + KC_HOSTNAME_STRICT_HTTPS: false + KC_LOG_LEVEL: "DEBUG" + } +} diff --git a/test/certificate.yaml b/test/certificate.yaml new file mode 100644 index 0000000..59a9117 --- /dev/null +++ b/test/certificate.yaml @@ -0,0 +1,350 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + dnsNames: + - localhost:8443 + duration: 2160h0m0s + issuerRef: + group: cert-manager.io + kind: Issuer + name: keycloak + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + renewBefore: 360h0m0s + secretName: keycloak-cert + subject: + organizations: + - zelros.com +--- +apiVersion: v1 +immutable: true +kind: Secret +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak-jks-pwd + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-jks-pwd-86dfda33 + namespace: test +stringData: + password-jks: changeme +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-jks + namespace: test +spec: + commonName: infinispan-jks + issuerRef: + group: cert-manager.io + kind: Issuer + name: keycloak + keystores: + jks: + create: true + passwordSecretRef: + key: password-jks + name: keycloak-jks-pwd-86dfda33 + secretName: keycloak-jks +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + selfSigned: {} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ports: + - appProtocol: https + name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-jgroups + namespace: test +spec: + ports: + - name: jgroups + port: 7800 + protocol: TCP + targetPort: jgroups + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: v1 +data: + cache-ispn.xml: " \n \n \n \n\t\t\t\t\t\t\t\n + \ \n \n + \ \n\n \n \n \n \n \n + \ \n \n + \ \n \n \n \n \n + \ \n \n + \ \n \n \n \n + \ \n \n \n \n + \ \n \n \n \n \n + \ \n \n \n \n + \ \n \n \n \n + \ \n \n + \ \n \n + \ \n \n \n \n \n + \ \n \n \n \n + \ \n \n + \ \n \n \n \n \n \n + \ \n \n \n \n + \ \n " +immutable: true +kind: ConfigMap +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-cc75f05f + namespace: test +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + minAvailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: keycloak + ports: + - port: 7800 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: keycloak + policyTypes: + - Ingress +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + containers: + - command: + - /opt/keycloak/bin/kc.sh + - start + env: + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: admin + - name: KC_DB_USERNAME + value: admin + - name: KC_DB_PASSWORD + value: admin + - name: KC_CACHE + value: ispn + - name: KC_CACHE_CONFIG_FILE + value: cache-ispn.xml + - name: KC_CACHE_STACK + value: kubernetes + - name: JAVA_OPTS_APPEND + value: -Djgroups.dns.query=keycloak-jgroups + - name: KC_LOG_LEVEL + value: DEBUG + - name: KC_HTTPS_CERTIFICATE_FILE + value: /certs/tls.crt + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: /certs/tls.key + image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + - containerPort: 7800 + name: jgroups + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + volumeMounts: + - mountPath: /opt/keycloak/conf + name: cache + - mountPath: /certs + name: certs + - mountPath: /jks + name: jks + serviceAccountName: default + volumes: + - name: certs + secret: + secretName: keycloak-cert + - name: jks + secret: + secretName: keycloak-jks + - configMap: + items: + - key: cache-ispn.xml + path: cache-ispn.xml + name: keycloak-cc75f05f + name: cache +--- diff --git a/test/external-secrets-values.cue b/test/external-secrets-values.cue new file mode 100644 index 0000000..f027044 --- /dev/null +++ b/test/external-secrets-values.cue @@ -0,0 +1,35 @@ +@if(!debug) + +package main + +// Defaults +values: { + + certificateCreate: true + certificate: { + issuerRef: { + name: "existingIssuer" + } + } + jksCreate: true + jks: { + issuerRef: { + name: "existingIssuer" + } + } + + serviceAccount: { + metadata: name: "existing-sa" + } + + envs: { + KEYCLOAK_ADMIN: { + name: "existing-secret" + key: "keycloak-admin-user" + } + KEYCLOAK_ADMIN_PASSWORD: { + name: "existing-secret" + key: "keycloak-admin-password" + } + } +} diff --git a/test/external-secrets.yaml b/test/external-secrets.yaml new file mode 100644 index 0000000..2171a16 --- /dev/null +++ b/test/external-secrets.yaml @@ -0,0 +1,181 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + dnsNames: + - localhost:8080 + issuerRef: + group: cert-manager.io + kind: Issuer + name: existingIssuer + secretName: keycloak-cert +--- +apiVersion: v1 +immutable: true +kind: Secret +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak-jks-pwd + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-jks-pwd-86dfda33 + namespace: test +stringData: + password-jks: changeme +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-jks + namespace: test +spec: + commonName: infinispan-jks + issuerRef: + group: cert-manager.io + kind: Issuer + name: existingIssuer + keystores: + jks: + create: true + passwordSecretRef: + key: password-jks + name: keycloak-jks-pwd-86dfda33 + secretName: keycloak-jks +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ports: + - appProtocol: http + name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + containers: + - command: + - /opt/keycloak/bin/kc.sh + - start + env: + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_CACHE + value: local + - name: KC_CACHE_STACK + value: kubernetes + - name: KC_HTTPS_CERTIFICATE_FILE + value: /certs/tls.crt + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: /certs/tls.key + - name: KEYCLOAK_ADMIN + valueFrom: + secretKeyRef: + key: keycloak-admin-user + name: existing-secret + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: keycloak-admin-password + name: existing-secret + image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + volumeMounts: + - mountPath: /certs + name: certs + - mountPath: /jks + name: jks + serviceAccountName: existing-sa + volumes: + - name: certs + secret: + secretName: keycloak-cert + - name: jks + secret: + secretName: keycloak-jks +--- diff --git a/test/http-values.cue b/test/http-values.cue new file mode 100644 index 0000000..625e859 --- /dev/null +++ b/test/http-values.cue @@ -0,0 +1,35 @@ +// Note that this file must have no imports and all values must be concrete. + +// Unsecure Keycloak deployment in http with HA + +@if(!debug) + +package main + +// Defaults +values: { + + image: { + repository: "quay.io/keycloak/keycloak" + digest: "sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a" + tag: "23.0" + } + + metadata: { + annotations: { + custom_annotation: "sleep" + } + } + + envs: { + KEYCLOAK_ADMIN: "admin" + KEYCLOAK_ADMIN_PASSWORD: "admin" + KC_DB_USERNAME: "admin" + KC_DB_PASSWORD: "admin" + KC_HOSTNAME_PORT: 8080 + KC_HOSTNAME_URL: "http://localhost:8080/" + KC_HOSTNAME_STRICT: false + KC_HOSTNAME_STRICT_HTTPS: false + KC_LOG_LEVEL: "DEBUG" + } +} diff --git a/test/http.yaml b/test/http.yaml new file mode 100644 index 0000000..76b91a3 --- /dev/null +++ b/test/http.yaml @@ -0,0 +1,123 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ports: + - appProtocol: http + name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + custom_annotation: sleep + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + containers: + - command: + - /opt/keycloak/bin/kc.sh + - start + env: + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HOSTNAME_PORT + value: "8080" + - name: KC_HOSTNAME_URL + value: http://localhost:8080/ + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: admin + - name: KC_DB_USERNAME + value: admin + - name: KC_DB_PASSWORD + value: admin + - name: KC_CACHE + value: local + - name: KC_CACHE_STACK + value: kubernetes + - name: KC_LOG_LEVEL + value: DEBUG + image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + volumeMounts: [] + serviceAccountName: default + volumes: [] +--- diff --git a/test/keycloak.bundle.cue b/test/keycloak.bundle.cue new file mode 100644 index 0000000..6910c39 --- /dev/null +++ b/test/keycloak.bundle.cue @@ -0,0 +1,15 @@ +bundle: { + apiVersion: "v1alpha1" + name: "keycloak" + instances: { + keycloak: { + module: url: "oci://ghcr.io/yyvess/keycloak" + module: version: "0.0.0" + namespace: "keycloak" + values: envs: { + KEYCLOAK_ADMIN_PASSWORD: "admin" + KC_HOSTNAME_STRICT: false + } + } + } +} diff --git a/test/minimum-values.cue b/test/minimum-values.cue new file mode 100644 index 0000000..d8702f4 --- /dev/null +++ b/test/minimum-values.cue @@ -0,0 +1,11 @@ +@if(!debug) + +package main + +// Defaults +values: { + envs: { + KEYCLOAK_ADMIN_PASSWORD: "admin" + KC_HOSTNAME_STRICT: false + } +} diff --git a/test/minimum.yaml b/test/minimum.yaml new file mode 100644 index 0000000..1c1c3ac --- /dev/null +++ b/test/minimum.yaml @@ -0,0 +1,109 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ports: + - appProtocol: http + name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + containers: + - command: + - /opt/keycloak/bin/kc.sh + - start + env: + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: admin + - name: KC_CACHE + value: local + - name: KC_CACHE_STACK + value: kubernetes + image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + volumeMounts: [] + serviceAccountName: default + volumes: [] +--- diff --git a/test/networkpolicy-values.cue b/test/networkpolicy-values.cue new file mode 100644 index 0000000..e059fec --- /dev/null +++ b/test/networkpolicy-values.cue @@ -0,0 +1,28 @@ +@if(!debug) + +package main + +// Defaults +values: { + envs: { + KEYCLOAK_ADMIN_PASSWORD: "admin" + } + cacheIspn: true + networkPolicyCreate: true + networkPolicyRules: [{ + from: [{ + namespaceSelector: { + matchLabels: { + "project": "timoni" + } + } + }, + ] + ports: [{ + protocol: "TCP" + port: 8080 + }, + ] + }, + ] +} diff --git a/test/networkpolicy.yaml b/test/networkpolicy.yaml new file mode 100644 index 0000000..4c54147 --- /dev/null +++ b/test/networkpolicy.yaml @@ -0,0 +1,271 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ports: + - appProtocol: http + name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-jgroups + namespace: test +spec: + ports: + - name: jgroups + port: 7800 + protocol: TCP + targetPort: jgroups + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: v1 +data: + cache-ispn.xml: |2- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +immutable: true +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-9c00292b + namespace: test +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + project: timoni + ports: + - port: 8080 + protocol: TCP + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: keycloak + ports: + - port: 7800 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: keycloak + policyTypes: + - Ingress +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + containers: + - command: + - /opt/keycloak/bin/kc.sh + - start + env: + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_HTTP_ENABLED + value: "true" + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: admin + - name: KC_CACHE + value: ispn + - name: KC_CACHE_CONFIG_FILE + value: cache-ispn.xml + - name: KC_CACHE_STACK + value: kubernetes + - name: JAVA_OPTS_APPEND + value: -Djgroups.dns.query=keycloak-jgroups + image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 7800 + name: jgroups + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + volumeMounts: + - mountPath: /opt/keycloak/conf + name: cache + serviceAccountName: default + volumes: + - configMap: + items: + - key: cache-ispn.xml + path: cache-ispn.xml + name: keycloak-9c00292b + name: cache +--- diff --git a/test/pdb-values.cue b/test/pdb-values.cue new file mode 100644 index 0000000..b24e6a7 --- /dev/null +++ b/test/pdb-values.cue @@ -0,0 +1,23 @@ +// Note that this file must have no imports and all values must be concrete. + +// Unsecure Keycloak deployment in http with HA + +@if(!debug) + +package main + +// Defaults +values: { + + replicas: 4 + + pdbSpec: { + minAvailable: 2 + maxUnavailable: 1 + } + + envs: { + KEYCLOAK_ADMIN: "admin" + KEYCLOAK_ADMIN_PASSWORD: "admin" + } +} diff --git a/test/pdb.yaml b/test/pdb.yaml new file mode 100644 index 0000000..3202ab2 --- /dev/null +++ b/test/pdb.yaml @@ -0,0 +1,256 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ports: + - appProtocol: http + name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-jgroups + namespace: test +spec: + ports: + - name: jgroups + port: 7800 + protocol: TCP + targetPort: jgroups + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: v1 +data: + cache-ispn.xml: |2- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +immutable: true +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak-9c00292b + namespace: test +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + maxUnavailable: 1 + minAvailable: 2 + selector: + matchLabels: + app.kubernetes.io/name: keycloak +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + replicas: 4 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + containers: + - command: + - /opt/keycloak/bin/kc.sh + - start + env: + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_HTTP_ENABLED + value: "true" + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: admin + - name: KC_CACHE + value: ispn + - name: KC_CACHE_CONFIG_FILE + value: cache-ispn.xml + - name: KC_CACHE_STACK + value: kubernetes + - name: JAVA_OPTS_APPEND + value: -Djgroups.dns.query=keycloak-jgroups + image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 7800 + name: jgroups + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + volumeMounts: + - mountPath: /opt/keycloak/conf + name: cache + serviceAccountName: default + volumes: + - configMap: + items: + - key: cache-ispn.xml + path: cache-ispn.xml + name: keycloak-9c00292b + name: cache +--- diff --git a/test/sa-values.cue b/test/sa-values.cue new file mode 100644 index 0000000..b94a76e --- /dev/null +++ b/test/sa-values.cue @@ -0,0 +1,40 @@ +// Custome Service account + +@if(!debug) + +package main + +// Defaults +values: { + + replicas: 1 + + image: { + repository: "quay.io/keycloak/keycloak" + digest: "sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a" + tag: "23.0" + } + metadata: { + annotations: { + root: "root" + } + } + + + serviceAccountCreate: true + serviceAccount: { + metadata: name: "kjj" + } + + envs: { + KEYCLOAK_ADMIN: "admin" + KEYCLOAK_ADMIN_PASSWORD: "admin" + KC_DB_USERNAME: "admin" + KC_DB_PASSWORD: "admin" + KC_HOSTNAME_PORT: 8080 + KC_HOSTNAME_URL: "http://localhost:8080/" + KC_HOSTNAME_STRICT: false + KC_HOSTNAME_STRICT_HTTPS: false + KC_LOG_LEVEL: "DEBUG" + } +} diff --git a/test/sa.yaml b/test/sa.yaml new file mode 100644 index 0000000..3f2f0ae --- /dev/null +++ b/test/sa.yaml @@ -0,0 +1,135 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + root: root + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: kjj + namespace: test +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + ports: + - appProtocol: http + name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: keycloak + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + root: root + labels: + app.kubernetes.io/managed-by: timoni + app.kubernetes.io/name: keycloak + app.kubernetes.io/version: 0.0.0-devel + name: keycloak + namespace: test +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + containers: + - command: + - /opt/keycloak/bin/kc.sh + - start + env: + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HOSTNAME_PORT + value: "8080" + - name: KC_HOSTNAME_URL + value: http://localhost:8080/ + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: admin + - name: KC_DB_USERNAME + value: admin + - name: KC_DB_PASSWORD + value: admin + - name: KC_CACHE + value: local + - name: KC_CACHE_STACK + value: kubernetes + - name: KC_LOG_LEVEL + value: DEBUG + image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + scheme: HTTP + periodSeconds: 15 + volumeMounts: [] + serviceAccountName: kjj + volumes: [] +--- diff --git a/test/test.sh b/test/test.sh new file mode 100755 index 0000000..7f99db2 --- /dev/null +++ b/test/test.sh @@ -0,0 +1,15 @@ +#!/bin/bash +echo "minimum-values" +timoni -n test build keycloak ../ --values ../values.cue --values ./minimum-values.cue > ./minimum.yaml +echo "http-values" +timoni -n test build keycloak ../ --values ../values.cue --values ./http-values.cue > ./http.yaml +echo "sa-values" +timoni -n test build keycloak ../ --values ../values.cue --values ./sa-values.cue > ./sa.yaml +echo "certificate-values" +timoni -n test build keycloak ../ --values ../values.cue --values ./certificate-values.cue > ./certificate.yaml +echo "external-secrets-values" +timoni -n test build keycloak ../ --values ../values.cue --values ./external-secrets-values.cue > ./external-secrets.yaml +echo "pdb-values" +timoni -n test build keycloak ../ --values ../values.cue --values ./pdb-values.cue > ./pdb.yaml +echo "network-policy-values" +timoni -n test build keycloak ../ --values ../values.cue --values ./networkpolicy-values.cue > ./networkpolicy.yaml diff --git a/timoni.ignore b/timoni.ignore index 0722c34..732a99a 100644 --- a/timoni.ignore +++ b/timoni.ignore @@ -1,9 +1,14 @@ # VCS .git/ +.github .gitignore .gitmodules .gitattributes +# Idea +*.iml +.idea/ + # Go vendor/ go.mod @@ -12,3 +17,4 @@ go.sum # CUE *_tool.cue debug_values.cue +test/ diff --git a/values.cue b/values.cue index b2723ef..6a4bad8 100644 --- a/values.cue +++ b/values.cue @@ -5,6 +5,13 @@ package main -// Placeholder for user-supplied values. +// Defaults values: { + + image: { + repository: "quay.io/keycloak/keycloak" + digest: "sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a" + tag: "23.0" + } + }