From aef5a80a3d02249560a2b9121aa44dc55b1e95d9 Mon Sep 17 00:00:00 2001 From: sebhoss Date: Fri, 25 Oct 2024 10:10:35 +0000 Subject: [PATCH] Update upstream specifications to their latest version --- .../v1beta1/pgupgrades.yaml | 4 +- .../v1beta1/postgresclusters.yaml | 2 +- .../v1beta2/scheduledsparkapplications.yaml | 29 + .../v1beta2/sparkapplications.yaml | 29 + .../kuadrant.io/v1alpha1/dnsrecords.yaml | 44 +- .../kuadrant.io/v1beta3/authpolicies.yaml | 5013 ++++++++++++ .../v1beta3/ratelimitpolicies.yaml | 46 +- .../v1alpha1/limitadors.yaml | 11 +- .../v1/integrationplatforms.yaml | 14 +- .../v1/integrationprofiles.yaml | 14 +- .../camel.apache.org/v1/integrations.yaml | 14 +- .../camel-k/camel.apache.org/v1/pipes.yaml | 7 +- .../v1alpha1/kameletbindings.yaml | 7 +- .../v1/clusterdefinitions.yaml | 7 +- .../v1alpha1/backups.yaml | 3 + .../v1alpha1/subscriptions.yaml | 13 +- .../sns.services.k8s.aws/v1alpha1/topics.yaml | 16 +- .../sqs.services.k8s.aws/v1alpha1/queues.yaml | 27 +- .../v1alpha1/policyendpoints.yaml | 2 +- .../acme.cert-manager.io/v1/challenges.yaml | 3 + .../cert-manager.io/v1/clusterissuers.yaml | 3 + .../cert-manager.io/v1/issuers.yaml | 3 + .../clusterdevfileregistrieslists.yaml | 2 +- .../v1alpha1/devfileregistries.yaml | 2 +- .../v1alpha1/devfileregistrieslists.yaml | 2 +- .../org.eclipse.che/v2/checlusters.yaml | 5 +- .../apps.emqx.io/v2beta1/emqxes.yaml | 2 +- .../canaries.flanksource.com/v1/canaries.yaml | 305 + .../v1beta1/grafanadashboards.yaml | 10 +- .../loki/loki.grafana.com/v1/lokistacks.yaml | 261 +- .../v1alpha1/tempostacks.yaml | 6 + .../v5/teleportroles.yaml | 24 +- .../v6/teleportroles.yaml | 24 +- .../app.terraform.io/v1alpha2/agentpools.yaml | 10 + .../app.terraform.io/v1alpha2/workspaces.yaml | 3 + .../v1beta1/cassandradatacenters.yaml | 5 +- .../devices.kubeedge.io/v1beta1/devices.yaml | 14 + .../v1alpha1/nodeupgradejobs.yaml | 21 + .../v1alpha1/targetgroupbindings.yaml | 3 + .../v1beta1/targetgroupbindings.yaml | 3 + .../cluster.x-k8s.io/v1beta1/clusters.yaml | 4 +- .../v1beta1/machinepools.yaml | 4 +- .../cluster.x-k8s.io/v1beta1/machines.yaml | 4 +- .../cluster.x-k8s.io/v1beta1/machinesets.yaml | 3 +- .../jobset.x-k8s.io/v1alpha2/jobsets.yaml | 7 + .../kueue.x-k8s.io/v1beta1/clusterqueues.yaml | 2 +- .../kueue.x-k8s.io/v1beta1/localqueues.yaml | 57 + .../kueue.x-k8s.io/v1beta1/workloads.yaml | 7 + .../kyverno.io/v2/cleanuppolicies.yaml | 7 + .../kyverno.io/v2/clustercleanuppolicies.yaml | 7 + .../kyverno.io/v2beta1/cleanuppolicies.yaml | 7 + .../v2beta1/clustercleanuppolicies.yaml | 7 + .../k8s.mariadb.com/v1alpha1/backups.yaml | 154 +- .../k8s.mariadb.com/v1alpha1/mariadbs.yaml | 152 +- .../k8s.mariadb.com/v1alpha1/restores.yaml | 152 +- .../metal3.io/v1alpha1/baremetalhosts.yaml | 230 +- .../v1alpha1/bmceventsubscriptions.yaml | 8 +- .../metal3.io/v1alpha1/dataimages.yaml | 8 +- .../metal3.io/v1alpha1/firmwareschemas.yaml | 8 +- .../metal3.io/v1alpha1/hardwaredata.yaml | 14 +- .../v1alpha1/hostfirmwarecomponents.yaml | 20 +- .../v1alpha1/hostfirmwaresettings.yaml | 20 +- .../v1alpha1/preprovisioningimages.yaml | 28 +- .../v1alpha1/clientsettingspolicies.yaml | 2 +- .../v1alpha1/nginxgateways.yaml | 2 +- .../v1alpha1/nginxproxies.yaml | 2 +- .../v1alpha1/observabilitypolicies.yaml | 2 +- .../v1alpha1/instrumentations.yaml | 784 ++ .../v1beta1/opentelemetrycollectors.yaml | 7 + .../v1/clusterdeploymentcustomizations.yaml | 18 +- .../hive.openshift.io/v1/hiveconfigs.yaml | 9 +- .../v1/felixconfigurations.yaml | 102 +- .../projectcontour.io/v1/httpproxies.yaml | 34 +- .../v1/tlscertificatedelegations.yaml | 4 +- .../v1alpha1/contourconfigurations.yaml | 13 +- .../v1alpha1/contourdeployments.yaml | 85 +- .../v1alpha1/extensionservices.yaml | 8 +- .../monitoring.coreos.com/v1/podmonitors.yaml | 14 + .../monitoring.coreos.com/v1/probes.yaml | 14 + .../v1/prometheuses.yaml | 19 +- .../v1/servicemonitors.yaml | 14 + .../v1alpha1/prometheusagents.yaml | 19 +- .../v1alpha1/scrapeconfigs.yaml | 14 + .../v1alpha1/sparkapplications.yaml | 8 +- .../v1alpha1/sparkhistoryservers.yaml | 8 +- .../v1beta1/tinkerbellmachines.yaml | 15 + .../v1beta1/tinkerbellmachinetemplates.yaml | 15 + .../bmc.tinkerbell.org/v1alpha1/machines.yaml | 10 +- .../bmc.tinkerbell.org/v1alpha1/tasks.yaml | 10 +- .../tinkerbell.org/v1alpha1/hardware.yaml | 4 + .../batch.volcano.sh/v1alpha1/jobs.yaml | 45 +- .../bus.volcano.sh/v1alpha1/commands.yaml | 2 +- .../flow.volcano.sh/v1alpha1/jobflows.yaml | 2 +- .../v1alpha1/jobtemplates.yaml | 45 +- .../v1alpha1/numatopologies.yaml | 2 +- .../v1beta1/podgroups.yaml | 2 +- .../scheduling.volcano.sh/v1beta1/queues.yaml | 2 +- .../src/acme_cert_manager_io/v1/challenges.rs | 3 + .../app_terraform_io/v1alpha2/agentpools.rs | 6 + .../app_terraform_io/v1alpha2/workspaces.rs | 3 + .../src/apps_emqx_io/v2beta1/emqxes.rs | 10 +- .../v1/clusterdefinitions.rs | 13 +- .../src/batch_volcano_sh/v1alpha1/jobs.rs | 24 +- .../bmc_tinkerbell_org/v1alpha1/machines.rs | 13 +- .../src/bmc_tinkerbell_org/v1alpha1/tasks.rs | 13 +- .../v1beta1/cassandradatacenters.rs | 5 +- .../src/cert_manager_io/v1/clusterissuers.rs | 3 + .../src/cert_manager_io/v1/issuers.rs | 3 + .../src/cluster_x_k8s_io/v1beta1/clusters.rs | 4 + .../cluster_x_k8s_io/v1beta1/machinepools.rs | 4 + .../src/cluster_x_k8s_io/v1beta1/machines.rs | 4 + .../cluster_x_k8s_io/v1beta1/machinesets.rs | 3 + .../devices_kubeedge_io/v1beta1/devices.rs | 17 + .../v1alpha1/targetgroupbindings.rs | 3 + .../v1beta1/targetgroupbindings.rs | 3 + .../flow_volcano_sh/v1alpha1/jobtemplates.rs | 24 +- .../v1beta1/grafanadashboards.rs | 5 +- .../v1/clusterdeploymentcustomizations.rs | 35 +- .../src/hive_openshift_io/v1/hiveconfigs.rs | 15 + .../v1beta1/tinkerbellmachines.rs | 28 + .../v1beta1/tinkerbellmachinetemplates.rs | 28 + .../src/jobset_x_k8s_io/v1alpha2/jobsets.rs | 14 + .../src/k8s_mariadb_com/v1alpha1/backups.rs | 177 +- .../src/k8s_mariadb_com/v1alpha1/mariadbs.rs | 171 +- .../src/k8s_mariadb_com/v1alpha1/restores.rs | 171 +- .../src/kuadrant_io/v1alpha1/dnsrecords.rs | 42 +- .../src/kuadrant_io/v1beta3/authpolicies.rs | 6750 +++++++++++++++++ .../src/kuadrant_io/v1beta3/mod.rs | 1 + .../kuadrant_io/v1beta3/ratelimitpolicies.rs | 63 +- .../kueue_x_k8s_io/v1beta1/clusterqueues.rs | 16 +- .../src/kueue_x_k8s_io/v1beta1/localqueues.rs | 40 + .../src/kueue_x_k8s_io/v1beta1/workloads.rs | 6 + .../src/kyverno_io/v2/cleanuppolicies.rs | 11 + .../kyverno_io/v2/clustercleanuppolicies.rs | 11 + .../src/kyverno_io/v2beta1/cleanuppolicies.rs | 11 + .../v2beta1/clustercleanuppolicies.rs | 11 + kube-custom-resources-rs/src/lib.rs | 1 + .../src/loki_grafana_com/v1/lokistacks.rs | 336 +- .../v1alpha1/bmceventsubscriptions.rs | 6 +- .../src/metal3_io/v1alpha1/dataimages.rs | 3 +- .../src/metal3_io/v1alpha1/firmwareschemas.rs | 3 +- .../src/metal3_io/v1alpha1/hardwaredata.rs | 17 +- .../v1alpha1/hostfirmwarecomponents.rs | 3 +- .../v1alpha1/hostfirmwaresettings.rs | 8 +- .../v1alpha1/preprovisioningimages.rs | 18 +- .../monitoring_coreos_com/v1/podmonitors.rs | 14 + .../src/monitoring_coreos_com/v1/probes.rs | 15 + .../monitoring_coreos_com/v1/prometheuses.rs | 32 +- .../v1/servicemonitors.rs | 14 + .../v1alpha1/prometheusagents.rs | 32 +- .../v1alpha1/scrapeconfigs.rs | 15 + .../v1alpha1/instrumentations.rs | 609 ++ .../v1beta1/opentelemetrycollectors.rs | 10 + .../v1alpha1/nodeupgradejobs.rs | 24 + .../src/org_eclipse_che/v2/checlusters.rs | 11 + .../src/projectcontour_io/v1/httpproxies.rs | 55 +- .../v1alpha1/contourconfigurations.rs | 17 +- .../v1alpha1/contourdeployments.rs | 133 +- .../v1alpha1/extensionservices.rs | 8 +- .../v1beta2/scheduledsparkapplications.rs | 24 +- .../v1beta2/sparkapplications.rs | 24 +- .../tempo_grafana_com/v1alpha1/tempostacks.rs | 15 + .../src/tinkerbell_org/v1alpha1/hardware.rs | 3 + 163 files changed, 16475 insertions(+), 998 deletions(-) create mode 100644 crd-catalog/Kuadrant/kuadrant-operator/kuadrant.io/v1beta3/authpolicies.yaml create mode 100644 kube-custom-resources-rs/src/kuadrant_io/v1beta3/authpolicies.rs diff --git a/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/pgupgrades.yaml b/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/pgupgrades.yaml index 381176e62..82434a0fc 100644 --- a/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/pgupgrades.yaml +++ b/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/pgupgrades.yaml @@ -589,7 +589,7 @@ spec: fromPostgresVersion: description: "The major version of PostgreSQL before the upgrade." maximum: 17.0 - minimum: 10.0 + minimum: 11.0 type: "integer" image: description: "The image name to use for major PostgreSQL upgrades." @@ -675,7 +675,7 @@ spec: toPostgresVersion: description: "The major version of PostgreSQL to be upgraded to." maximum: 17.0 - minimum: 10.0 + minimum: 11.0 type: "integer" tolerations: description: "Tolerations of the PGUpgrade pod.\nMore info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration" diff --git a/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/postgresclusters.yaml b/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/postgresclusters.yaml index 393acb20f..ce87e3f51 100644 --- a/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/postgresclusters.yaml +++ b/crd-catalog/CrunchyData/postgres-operator/postgres-operator.crunchydata.com/v1beta1/postgresclusters.yaml @@ -6963,7 +6963,7 @@ spec: postgresVersion: description: "The major version of PostgreSQL installed in the PostgreSQL image" maximum: 17.0 - minimum: 10.0 + minimum: 11.0 type: "integer" proxy: description: "The specification of a proxy that connects to PostgreSQL." diff --git a/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/scheduledsparkapplications.yaml b/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/scheduledsparkapplications.yaml index 65740141c..bd9563440 100644 --- a/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/scheduledsparkapplications.yaml +++ b/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/scheduledsparkapplications.yaml @@ -2978,6 +2978,10 @@ spec: - "name" type: "object" type: "array" + template: + description: "Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support.\nSpark version >= 3.0.0 is required.\nRef: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template." + type: "object" + x-kubernetes-preserve-unknown-fields: true terminationGracePeriodSeconds: description: "Termination grace period seconds for the pod" format: "int64" @@ -5946,6 +5950,10 @@ spec: - "name" type: "object" type: "array" + template: + description: "Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support.\nSpark version >= 3.0.0 is required.\nRef: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template." + type: "object" + x-kubernetes-preserve-unknown-fields: true terminationGracePeriodSeconds: description: "Termination grace period seconds for the pod" format: "int64" @@ -6461,6 +6469,23 @@ spec: properties: metadata: description: "May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation." + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" type: "object" spec: description: "The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here." @@ -7191,6 +7216,7 @@ spec: required: - "driver" - "executor" + - "mainApplicationFile" - "sparkVersion" - "type" type: "object" @@ -7231,6 +7257,9 @@ spec: description: "ScheduleState is the current scheduling state of the application." type: "string" type: "object" + required: + - "metadata" + - "spec" type: "object" served: true storage: true diff --git a/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/sparkapplications.yaml b/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/sparkapplications.yaml index 4fb2aaba1..e8deb35ed 100644 --- a/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/sparkapplications.yaml +++ b/crd-catalog/GoogleCloudPlatform/spark-on-k8s-operator/sparkoperator.k8s.io/v1beta2/sparkapplications.yaml @@ -2958,6 +2958,10 @@ spec: - "name" type: "object" type: "array" + template: + description: "Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support.\nSpark version >= 3.0.0 is required.\nRef: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template." + type: "object" + x-kubernetes-preserve-unknown-fields: true terminationGracePeriodSeconds: description: "Termination grace period seconds for the pod" format: "int64" @@ -5926,6 +5930,10 @@ spec: - "name" type: "object" type: "array" + template: + description: "Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support.\nSpark version >= 3.0.0 is required.\nRef: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template." + type: "object" + x-kubernetes-preserve-unknown-fields: true terminationGracePeriodSeconds: description: "Termination grace period seconds for the pod" format: "int64" @@ -6441,6 +6449,23 @@ spec: properties: metadata: description: "May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation." + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" type: "object" spec: description: "The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here." @@ -7171,6 +7196,7 @@ spec: required: - "driver" - "executor" + - "mainApplicationFile" - "sparkVersion" - "type" type: "object" @@ -7240,6 +7266,9 @@ spec: required: - "driverInfo" type: "object" + required: + - "metadata" + - "spec" type: "object" served: true storage: true diff --git a/crd-catalog/Kuadrant/dns-operator/kuadrant.io/v1alpha1/dnsrecords.yaml b/crd-catalog/Kuadrant/dns-operator/kuadrant.io/v1alpha1/dnsrecords.yaml index a620969aa..449130805 100644 --- a/crd-catalog/Kuadrant/dns-operator/kuadrant.io/v1alpha1/dnsrecords.yaml +++ b/crd-catalog/Kuadrant/dns-operator/kuadrant.io/v1alpha1/dnsrecords.yaml @@ -87,9 +87,6 @@ spec: required: - "name" type: "object" - allowInsecureCertificate: - description: "AllowInsecureCertificate will instruct the health check probe to not fail on a self-signed or otherwise invalid SSL certificate\nthis is primarily used in development or testing environments" - type: "boolean" failureThreshold: description: "FailureThreshold is a limit of consecutive failures that must occur for a host to be considered unhealthy" type: "integer" @@ -361,6 +358,47 @@ spec: description: "QueuedAt is a time when DNS record was received for the reconciliation" format: "date-time" type: "string" + relatedEndpoints: + description: "ZoneEndpoints are all the endpoints for the DNSRecordSpec.RootHost that are present in the provider" + items: + description: "Endpoint is a high-level way of a connection between a service and an IP" + properties: + dnsName: + description: "The hostname of the DNS record" + type: "string" + labels: + additionalProperties: + type: "string" + description: "Labels stores labels defined for the Endpoint" + type: "object" + providerSpecific: + description: "ProviderSpecific stores provider specific config" + items: + description: "ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers" + properties: + name: + type: "string" + value: + type: "string" + type: "object" + type: "array" + recordTTL: + description: "TTL for the record" + format: "int64" + type: "integer" + recordType: + description: "RecordType type of record, e.g. CNAME, A, AAAA, SRV, TXT etc" + type: "string" + setIdentifier: + description: "Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple')" + type: "string" + targets: + description: "The targets the DNS record points to" + items: + type: "string" + type: "array" + type: "object" + type: "array" validFor: description: "ValidFor indicates duration since the last reconciliation we consider data in the record to be valid" type: "string" diff --git a/crd-catalog/Kuadrant/kuadrant-operator/kuadrant.io/v1beta3/authpolicies.yaml b/crd-catalog/Kuadrant/kuadrant-operator/kuadrant.io/v1beta3/authpolicies.yaml new file mode 100644 index 000000000..bf7d3c423 --- /dev/null +++ b/crd-catalog/Kuadrant/kuadrant-operator/kuadrant.io/v1beta3/authpolicies.yaml @@ -0,0 +1,5013 @@ +apiVersion: "apiextensions.k8s.io/v1" +kind: "CustomResourceDefinition" +metadata: + annotations: + controller-gen.kubebuilder.io/version: "v0.14.0" + labels: + gateway.networking.k8s.io/policy: "inherited" + name: "authpolicies.kuadrant.io" +spec: + group: "kuadrant.io" + names: + kind: "AuthPolicy" + listKind: "AuthPolicyList" + plural: "authpolicies" + singular: "authpolicy" + scope: "Namespaced" + versions: + - additionalPrinterColumns: + - description: "AuthPolicy Accepted" + jsonPath: ".status.conditions[?(@.type==\"Accepted\")].status" + name: "Accepted" + priority: 2 + type: "string" + - description: "AuthPolicy Enforced" + jsonPath: ".status.conditions[?(@.type==\"Enforced\")].status" + name: "Enforced" + priority: 2 + type: "string" + - description: "Type of the referenced Gateway API resource" + jsonPath: ".spec.targetRef.kind" + name: "TargetRefKind" + priority: 2 + type: "string" + - description: "Name of the referenced Gateway API resource" + jsonPath: ".spec.targetRef.name" + name: "TargetRefName" + priority: 2 + type: "string" + - jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + name: "v1beta3" + schema: + openAPIV3Schema: + description: "AuthPolicy enables authentication and authorization for service workloads in a Gateway API network" + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + kind: + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + metadata: + type: "object" + spec: + description: "Mutual Exclusivity Validation" + properties: + defaults: + description: "Defaults define explicit default values for this policy and for policies inheriting this policy.\nDefaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec." + properties: + patterns: + additionalProperties: + items: + properties: + operator: + description: "The binary operator to be applied to the content fetched from the authorization JSON, for comparison with \"value\".\nPossible values are: \"eq\" (equal to), \"neq\" (not equal to), \"incl\" (includes; for arrays), \"excl\" (excludes; for arrays), \"matches\" (regex)" + enum: + - "eq" + - "neq" + - "incl" + - "excl" + - "matches" + type: "string" + selector: + description: "Path selector to fetch content from the authorization JSON (e.g. 'request.method').\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nAuthorino custom JSON path modifiers are also supported." + type: "string" + value: + description: "The value of reference for the comparison with the content fetched from the authorization JSON.\nIf used with the \"matches\" operator, the value must compile to a valid Golang regex." + type: "string" + type: "object" + type: "array" + description: "Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules." + type: "object" + rules: + description: "The auth rules of the policy.\nSee Authorino's AuthConfig CRD for more details." + properties: + authentication: + additionalProperties: + properties: + anonymous: + description: "Anonymous access." + type: "object" + apiKey: + description: "Authentication based on API keys stored in Kubernetes secrets." + properties: + allNamespaces: + default: false + description: "Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig.\nEnabling this option in namespaced Authorino instances has no effect." + type: "boolean" + selector: + description: "Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service" + properties: + matchExpressions: + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: + description: "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values." + properties: + key: + description: "key is the label key that the selector applies to." + type: "string" + operator: + description: "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + values: + description: "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch." + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + required: + - "selector" + type: "object" + cache: + description: "Caching options for the resolved object returned when applying this config.\nOmit it to avoid caching objects for this config." + properties: + key: + description: "Key used to store the entry in the cache.\nThe resolved key must be unique within the scope of this particular config." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + ttl: + default: 60 + description: "Duration (in seconds) of the external data in the cache before pulled again from the source." + type: "integer" + required: + - "key" + type: "object" + credentials: + description: "Defines where credentials are required to be passed in the request for authentication based on this config.\nIf omitted, it defaults to credentials passed in the HTTP Authorization header and the \"Bearer\" prefix prepended to the secret credential value." + properties: + authorizationHeader: + properties: + prefix: + type: "string" + type: "object" + cookie: + properties: + name: + type: "string" + required: + - "name" + type: "object" + customHeader: + properties: + name: + type: "string" + required: + - "name" + type: "object" + queryString: + properties: + name: + type: "string" + required: + - "name" + type: "object" + type: "object" + defaults: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Set default property values (claims) for the resolved identity object, that are set before appending the object to\nthe authorization JSON. If the property is already present in the resolved identity object, the default value is ignored.\nIt requires the resolved identity object to always be a JSON object.\nDo not use this option with identity objects of other JSON types (array, string, etc)." + type: "object" + jwt: + description: "Authentication based on JWT tokens." + properties: + issuerUrl: + description: "URL of the issuer of the JWT.\nIf `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint\n(i.e. \"/.well-known/openid-configuration\") to this URL, to discover the OIDC configuration where to obtain\nthe \"jkws_uri\" claim from.\nThe value must coincide with the value of the \"iss\" (issuer) claim of the discovered OpenID Connect configuration." + type: "string" + ttl: + description: "Decides how long to wait before refreshing the JWKS (in seconds).\nIf omitted, Authorino will never refresh the JWKS." + type: "integer" + type: "object" + kubernetesTokenReview: + description: "Authentication by Kubernetes token review." + properties: + audiences: + description: "The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino.\nIf omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences." + items: + type: "string" + type: "array" + type: "object" + metrics: + default: false + description: "Whether this config should generate individual observability metrics" + type: "boolean" + oauth2Introspection: + description: "Authentication by OAuth2 token introspection." + properties: + credentialsRef: + description: "Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server." + properties: + name: + default: "" + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + endpoint: + description: "The full URL of the token introspection endpoint." + type: "string" + tokenTypeHint: + description: "The token type hint for the token introspection.\nIf omitted, it defaults to \"access_token\"." + type: "string" + required: + - "credentialsRef" + - "endpoint" + type: "object" + overrides: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Overrides the resolved identity object by setting the additional properties (claims) specified in this config,\nbefore appending the object to the authorization JSON.\nIt requires the resolved identity object to always be a JSON object.\nDo not use this option with identity objects of other JSON types (array, string, etc)." + type: "object" + plain: + description: "Identity object extracted from the context.\nUse this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + required: + - "selector" + type: "object" + priority: + default: 0 + description: "Priority group of the config.\nAll configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially." + type: "integer" + when: + description: "Conditions for Authorino to enforce this config.\nIf omitted, the config will be enforced for all requests.\nIf present, all conditions must match for the config to be enforced; otherwise, the config will be skipped." + items: + properties: + all: + description: "A list of pattern expressions to be evaluated as a logical AND." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + any: + description: "A list of pattern expressions to be evaluated as a logical OR." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + operator: + description: "The binary operator to be applied to the content fetched from the authorization JSON, for comparison with \"value\".\nPossible values are: \"eq\" (equal to), \"neq\" (not equal to), \"incl\" (includes; for arrays), \"excl\" (excludes; for arrays), \"matches\" (regex)" + enum: + - "eq" + - "neq" + - "incl" + - "excl" + - "matches" + type: "string" + patternRef: + description: "Reference to a named set of pattern expressions" + type: "string" + selector: + description: "Path selector to fetch content from the authorization JSON (e.g. 'request.method').\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nAuthorino custom JSON path modifiers are also supported." + type: "string" + value: + description: "The value of reference for the comparison with the content fetched from the authorization JSON.\nIf used with the \"matches\" operator, the value must compile to a valid Golang regex." + type: "string" + type: "object" + type: "array" + x509: + description: "Authentication based on client X.509 certificates.\nThe certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets." + properties: + allNamespaces: + default: false + description: "Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig.\nEnabling this option in namespaced Authorino instances has no effect." + type: "boolean" + selector: + description: "Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate\nclients trying to authenticate to this service" + properties: + matchExpressions: + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: + description: "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values." + properties: + key: + description: "key is the label key that the selector applies to." + type: "string" + operator: + description: "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + values: + description: "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch." + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + required: + - "selector" + type: "object" + type: "object" + description: "Authentication configs.\nAt least one config MUST evaluate to a valid identity object for the auth request to be successful." + type: "object" + authorization: + additionalProperties: + properties: + cache: + description: "Caching options for the resolved object returned when applying this config.\nOmit it to avoid caching objects for this config." + properties: + key: + description: "Key used to store the entry in the cache.\nThe resolved key must be unique within the scope of this particular config." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + ttl: + default: 60 + description: "Duration (in seconds) of the external data in the cache before pulled again from the source." + type: "integer" + required: + - "key" + type: "object" + kubernetesSubjectAccessReview: + description: "Authorization by Kubernetes SubjectAccessReview" + properties: + groups: + description: "Groups the user must be a member of or, if `user` is omitted, the groups to check for authorization in the Kubernetes RBAC." + items: + type: "string" + type: "array" + resourceAttributes: + description: "Use resourceAttributes to check permissions on Kubernetes resources.\nIf omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request." + properties: + group: + description: "API group of the resource.\nUse '*' for all API groups." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + name: + description: "Resource name\nOmit it to check for authorization on all resources of the specified kind." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + namespace: + description: "Namespace where the user must have permissions on the resource." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + resource: + description: "Resource kind\nUse '*' for all resource kinds." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + subresource: + description: "Subresource kind" + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + verb: + description: "Verb to check for authorization on the resource.\nUse '*' for all verbs." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + type: "object" + user: + description: "User to check for authorization in the Kubernetes RBAC.\nOmit it to check for group authorization only." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + type: "object" + metrics: + default: false + description: "Whether this config should generate individual observability metrics" + type: "boolean" + opa: + description: "Open Policy Agent (OPA) Rego policy." + properties: + allValues: + default: false + description: "Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline.\nOtherwise, only the default `allow` rule will be exposed.\nReturning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime." + type: "boolean" + externalPolicy: + description: "Settings for fetching the OPA policy from an external registry.\nUse it alternatively to 'rego'.\nFor the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters',\n'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'." + properties: + body: + description: "Raw body of the HTTP request.\nSupersedes 'bodyParameters'; use either one or the other.\nUse it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used)." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + bodyParameters: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Custom parameters to encode in the body of the HTTP request.\nSuperseded by 'body'; use either one or the other.\nUse it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used)." + type: "object" + contentType: + default: "application/x-www-form-urlencoded" + description: "Content-Type of the request body. Shapes how 'bodyParameters' are encoded.\nUse it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'." + enum: + - "application/x-www-form-urlencoded" + - "application/json" + type: "string" + credentials: + description: "Defines where client credentials will be passed in the request to the service.\nIf omitted, it defaults to client credentials passed in the HTTP Authorization header and the \"Bearer\" prefix expected prepended to the secret value." + properties: + authorizationHeader: + properties: + prefix: + type: "string" + type: "object" + cookie: + properties: + name: + type: "string" + required: + - "name" + type: "object" + customHeader: + properties: + name: + type: "string" + required: + - "name" + type: "object" + queryString: + properties: + name: + type: "string" + required: + - "name" + type: "object" + type: "object" + headers: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Custom headers in the HTTP request." + type: "object" + method: + default: "GET" + description: "HTTP verb used in the request to the service. Accepted values: GET (default), POST.\nWhen the request method is POST, the authorization JSON is passed in the body of the request." + enum: + - "GET" + - "POST" + - "PUT" + - "PATCH" + - "DELETE" + - "HEAD" + - "OPTIONS" + - "CONNECT" + - "TRACE" + type: "string" + oauth2: + description: "Authentication with the HTTP service by OAuth2 Client Credentials grant." + properties: + cache: + default: true + description: "Caches and reuses the token until expired.\nSet it to false to force fetch the token at every authorization request regardless of expiration." + type: "boolean" + clientId: + description: "OAuth2 Client ID." + type: "string" + clientSecretRef: + description: "Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret." + properties: + key: + description: "The key of the secret to select from. Must be a valid secret key." + type: "string" + name: + description: "The name of the secret in the Authorino's namespace to select from." + type: "string" + required: + - "key" + - "name" + type: "object" + extraParams: + additionalProperties: + type: "string" + description: "Optional extra parameters for the requests to the token URL." + type: "object" + scopes: + description: "Optional scopes for the client credentials grant, if supported by he OAuth2 server." + items: + type: "string" + type: "array" + tokenUrl: + description: "Token endpoint URL of the OAuth2 resource server." + type: "string" + required: + - "clientId" + - "clientSecretRef" + - "tokenUrl" + type: "object" + sharedSecretRef: + description: "Reference to a Secret key whose value will be passed by Authorino in the request.\nThe HTTP service can use the shared secret to authenticate the origin of the request.\nIgnored if used together with oauth2." + properties: + key: + description: "The key of the secret to select from. Must be a valid secret key." + type: "string" + name: + description: "The name of the secret in the Authorino's namespace to select from." + type: "string" + required: + - "key" + - "name" + type: "object" + ttl: + description: "Duration (in seconds) of the external data in the cache before pulled again from the source." + type: "integer" + url: + description: "Endpoint URL of the HTTP service.\nThe value can include variable placeholders in the format \"{selector}\", where \"selector\" is any pattern supported\nby https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON.\nE.g. https://ext-auth-server.io/metadata?p={request.path}" + type: "string" + required: + - "url" + type: "object" + rego: + description: "Authorization policy as a Rego language document.\nThe Rego document must include the \"allow\" condition, set by Authorino to \"false\" by default (i.e. requests are unauthorized unless changed).\nThe Rego document must NOT include the \"package\" declaration in line 1." + type: "string" + type: "object" + patternMatching: + description: "Pattern-matching authorization rules." + properties: + patterns: + items: + properties: + all: + description: "A list of pattern expressions to be evaluated as a logical AND." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + any: + description: "A list of pattern expressions to be evaluated as a logical OR." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + operator: + description: "The binary operator to be applied to the content fetched from the authorization JSON, for comparison with \"value\".\nPossible values are: \"eq\" (equal to), \"neq\" (not equal to), \"incl\" (includes; for arrays), \"excl\" (excludes; for arrays), \"matches\" (regex)" + enum: + - "eq" + - "neq" + - "incl" + - "excl" + - "matches" + type: "string" + patternRef: + description: "Reference to a named set of pattern expressions" + type: "string" + selector: + description: "Path selector to fetch content from the authorization JSON (e.g. 'request.method').\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nAuthorino custom JSON path modifiers are also supported." + type: "string" + value: + description: "The value of reference for the comparison with the content fetched from the authorization JSON.\nIf used with the \"matches\" operator, the value must compile to a valid Golang regex." + type: "string" + type: "object" + type: "array" + required: + - "patterns" + type: "object" + priority: + default: 0 + description: "Priority group of the config.\nAll configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially." + type: "integer" + spicedb: + description: "Authorization decision delegated to external Authzed/SpiceDB server." + properties: + endpoint: + description: "Hostname and port number to the GRPC interface of the SpiceDB server (e.g. spicedb:50051)." + type: "string" + insecure: + description: "Insecure HTTP connection (i.e. disables TLS verification)" + type: "boolean" + permission: + description: "The name of the permission (or relation) on which to execute the check." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + resource: + description: "The resource on which to check the permission or relation." + properties: + kind: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + name: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + type: "object" + sharedSecretRef: + description: "Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service." + properties: + key: + description: "The key of the secret to select from. Must be a valid secret key." + type: "string" + name: + description: "The name of the secret in the Authorino's namespace to select from." + type: "string" + required: + - "key" + - "name" + type: "object" + subject: + description: "The subject that will be checked for the permission or relation." + properties: + kind: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + name: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + type: "object" + required: + - "endpoint" + type: "object" + when: + description: "Conditions for Authorino to enforce this config.\nIf omitted, the config will be enforced for all requests.\nIf present, all conditions must match for the config to be enforced; otherwise, the config will be skipped." + items: + properties: + all: + description: "A list of pattern expressions to be evaluated as a logical AND." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + any: + description: "A list of pattern expressions to be evaluated as a logical OR." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + operator: + description: "The binary operator to be applied to the content fetched from the authorization JSON, for comparison with \"value\".\nPossible values are: \"eq\" (equal to), \"neq\" (not equal to), \"incl\" (includes; for arrays), \"excl\" (excludes; for arrays), \"matches\" (regex)" + enum: + - "eq" + - "neq" + - "incl" + - "excl" + - "matches" + type: "string" + patternRef: + description: "Reference to a named set of pattern expressions" + type: "string" + selector: + description: "Path selector to fetch content from the authorization JSON (e.g. 'request.method').\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nAuthorino custom JSON path modifiers are also supported." + type: "string" + value: + description: "The value of reference for the comparison with the content fetched from the authorization JSON.\nIf used with the \"matches\" operator, the value must compile to a valid Golang regex." + type: "string" + type: "object" + type: "array" + type: "object" + description: "Authorization policies.\nAll policies MUST evaluate to \"allowed = true\" for the auth request be successful." + type: "object" + callbacks: + additionalProperties: + properties: + cache: + description: "Caching options for the resolved object returned when applying this config.\nOmit it to avoid caching objects for this config." + properties: + key: + description: "Key used to store the entry in the cache.\nThe resolved key must be unique within the scope of this particular config." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + ttl: + default: 60 + description: "Duration (in seconds) of the external data in the cache before pulled again from the source." + type: "integer" + required: + - "key" + type: "object" + http: + description: "Settings of the external HTTP request" + properties: + body: + description: "Raw body of the HTTP request.\nSupersedes 'bodyParameters'; use either one or the other.\nUse it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used)." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + bodyParameters: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Custom parameters to encode in the body of the HTTP request.\nSuperseded by 'body'; use either one or the other.\nUse it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used)." + type: "object" + contentType: + default: "application/x-www-form-urlencoded" + description: "Content-Type of the request body. Shapes how 'bodyParameters' are encoded.\nUse it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'." + enum: + - "application/x-www-form-urlencoded" + - "application/json" + type: "string" + credentials: + description: "Defines where client credentials will be passed in the request to the service.\nIf omitted, it defaults to client credentials passed in the HTTP Authorization header and the \"Bearer\" prefix expected prepended to the secret value." + properties: + authorizationHeader: + properties: + prefix: + type: "string" + type: "object" + cookie: + properties: + name: + type: "string" + required: + - "name" + type: "object" + customHeader: + properties: + name: + type: "string" + required: + - "name" + type: "object" + queryString: + properties: + name: + type: "string" + required: + - "name" + type: "object" + type: "object" + headers: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Custom headers in the HTTP request." + type: "object" + method: + default: "GET" + description: "HTTP verb used in the request to the service. Accepted values: GET (default), POST.\nWhen the request method is POST, the authorization JSON is passed in the body of the request." + enum: + - "GET" + - "POST" + - "PUT" + - "PATCH" + - "DELETE" + - "HEAD" + - "OPTIONS" + - "CONNECT" + - "TRACE" + type: "string" + oauth2: + description: "Authentication with the HTTP service by OAuth2 Client Credentials grant." + properties: + cache: + default: true + description: "Caches and reuses the token until expired.\nSet it to false to force fetch the token at every authorization request regardless of expiration." + type: "boolean" + clientId: + description: "OAuth2 Client ID." + type: "string" + clientSecretRef: + description: "Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret." + properties: + key: + description: "The key of the secret to select from. Must be a valid secret key." + type: "string" + name: + description: "The name of the secret in the Authorino's namespace to select from." + type: "string" + required: + - "key" + - "name" + type: "object" + extraParams: + additionalProperties: + type: "string" + description: "Optional extra parameters for the requests to the token URL." + type: "object" + scopes: + description: "Optional scopes for the client credentials grant, if supported by he OAuth2 server." + items: + type: "string" + type: "array" + tokenUrl: + description: "Token endpoint URL of the OAuth2 resource server." + type: "string" + required: + - "clientId" + - "clientSecretRef" + - "tokenUrl" + type: "object" + sharedSecretRef: + description: "Reference to a Secret key whose value will be passed by Authorino in the request.\nThe HTTP service can use the shared secret to authenticate the origin of the request.\nIgnored if used together with oauth2." + properties: + key: + description: "The key of the secret to select from. Must be a valid secret key." + type: "string" + name: + description: "The name of the secret in the Authorino's namespace to select from." + type: "string" + required: + - "key" + - "name" + type: "object" + url: + description: "Endpoint URL of the HTTP service.\nThe value can include variable placeholders in the format \"{selector}\", where \"selector\" is any pattern supported\nby https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON.\nE.g. https://ext-auth-server.io/metadata?p={request.path}" + type: "string" + required: + - "url" + type: "object" + metrics: + default: false + description: "Whether this config should generate individual observability metrics" + type: "boolean" + priority: + default: 0 + description: "Priority group of the config.\nAll configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially." + type: "integer" + when: + description: "Conditions for Authorino to enforce this config.\nIf omitted, the config will be enforced for all requests.\nIf present, all conditions must match for the config to be enforced; otherwise, the config will be skipped." + items: + properties: + all: + description: "A list of pattern expressions to be evaluated as a logical AND." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + any: + description: "A list of pattern expressions to be evaluated as a logical OR." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + operator: + description: "The binary operator to be applied to the content fetched from the authorization JSON, for comparison with \"value\".\nPossible values are: \"eq\" (equal to), \"neq\" (not equal to), \"incl\" (includes; for arrays), \"excl\" (excludes; for arrays), \"matches\" (regex)" + enum: + - "eq" + - "neq" + - "incl" + - "excl" + - "matches" + type: "string" + patternRef: + description: "Reference to a named set of pattern expressions" + type: "string" + selector: + description: "Path selector to fetch content from the authorization JSON (e.g. 'request.method').\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nAuthorino custom JSON path modifiers are also supported." + type: "string" + value: + description: "The value of reference for the comparison with the content fetched from the authorization JSON.\nIf used with the \"matches\" operator, the value must compile to a valid Golang regex." + type: "string" + type: "object" + type: "array" + required: + - "http" + type: "object" + description: "Callback functions.\nAuthorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config." + type: "object" + metadata: + additionalProperties: + properties: + cache: + description: "Caching options for the resolved object returned when applying this config.\nOmit it to avoid caching objects for this config." + properties: + key: + description: "Key used to store the entry in the cache.\nThe resolved key must be unique within the scope of this particular config." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + ttl: + default: 60 + description: "Duration (in seconds) of the external data in the cache before pulled again from the source." + type: "integer" + required: + - "key" + type: "object" + http: + description: "External source of auth metadata via HTTP request" + properties: + body: + description: "Raw body of the HTTP request.\nSupersedes 'bodyParameters'; use either one or the other.\nUse it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used)." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + bodyParameters: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Custom parameters to encode in the body of the HTTP request.\nSuperseded by 'body'; use either one or the other.\nUse it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used)." + type: "object" + contentType: + default: "application/x-www-form-urlencoded" + description: "Content-Type of the request body. Shapes how 'bodyParameters' are encoded.\nUse it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'." + enum: + - "application/x-www-form-urlencoded" + - "application/json" + type: "string" + credentials: + description: "Defines where client credentials will be passed in the request to the service.\nIf omitted, it defaults to client credentials passed in the HTTP Authorization header and the \"Bearer\" prefix expected prepended to the secret value." + properties: + authorizationHeader: + properties: + prefix: + type: "string" + type: "object" + cookie: + properties: + name: + type: "string" + required: + - "name" + type: "object" + customHeader: + properties: + name: + type: "string" + required: + - "name" + type: "object" + queryString: + properties: + name: + type: "string" + required: + - "name" + type: "object" + type: "object" + headers: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Custom headers in the HTTP request." + type: "object" + method: + default: "GET" + description: "HTTP verb used in the request to the service. Accepted values: GET (default), POST.\nWhen the request method is POST, the authorization JSON is passed in the body of the request." + enum: + - "GET" + - "POST" + - "PUT" + - "PATCH" + - "DELETE" + - "HEAD" + - "OPTIONS" + - "CONNECT" + - "TRACE" + type: "string" + oauth2: + description: "Authentication with the HTTP service by OAuth2 Client Credentials grant." + properties: + cache: + default: true + description: "Caches and reuses the token until expired.\nSet it to false to force fetch the token at every authorization request regardless of expiration." + type: "boolean" + clientId: + description: "OAuth2 Client ID." + type: "string" + clientSecretRef: + description: "Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret." + properties: + key: + description: "The key of the secret to select from. Must be a valid secret key." + type: "string" + name: + description: "The name of the secret in the Authorino's namespace to select from." + type: "string" + required: + - "key" + - "name" + type: "object" + extraParams: + additionalProperties: + type: "string" + description: "Optional extra parameters for the requests to the token URL." + type: "object" + scopes: + description: "Optional scopes for the client credentials grant, if supported by he OAuth2 server." + items: + type: "string" + type: "array" + tokenUrl: + description: "Token endpoint URL of the OAuth2 resource server." + type: "string" + required: + - "clientId" + - "clientSecretRef" + - "tokenUrl" + type: "object" + sharedSecretRef: + description: "Reference to a Secret key whose value will be passed by Authorino in the request.\nThe HTTP service can use the shared secret to authenticate the origin of the request.\nIgnored if used together with oauth2." + properties: + key: + description: "The key of the secret to select from. Must be a valid secret key." + type: "string" + name: + description: "The name of the secret in the Authorino's namespace to select from." + type: "string" + required: + - "key" + - "name" + type: "object" + url: + description: "Endpoint URL of the HTTP service.\nThe value can include variable placeholders in the format \"{selector}\", where \"selector\" is any pattern supported\nby https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON.\nE.g. https://ext-auth-server.io/metadata?p={request.path}" + type: "string" + required: + - "url" + type: "object" + metrics: + default: false + description: "Whether this config should generate individual observability metrics" + type: "boolean" + priority: + default: 0 + description: "Priority group of the config.\nAll configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially." + type: "integer" + uma: + description: "User-Managed Access (UMA) source of resource data." + properties: + credentialsRef: + description: "Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server." + properties: + name: + default: "" + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + endpoint: + description: "The endpoint of the UMA server.\nThe value must coincide with the \"issuer\" claim of the UMA config discovered from the well-known uma configuration endpoint." + type: "string" + required: + - "credentialsRef" + - "endpoint" + type: "object" + userInfo: + description: "OpendID Connect UserInfo linked to an OIDC authentication config specified in this same AuthConfig." + properties: + identitySource: + description: "The name of an OIDC-enabled JWT authentication config whose OpenID Connect configuration discovered includes the OIDC \"userinfo_endpoint\" claim." + type: "string" + required: + - "identitySource" + type: "object" + when: + description: "Conditions for Authorino to enforce this config.\nIf omitted, the config will be enforced for all requests.\nIf present, all conditions must match for the config to be enforced; otherwise, the config will be skipped." + items: + properties: + all: + description: "A list of pattern expressions to be evaluated as a logical AND." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + any: + description: "A list of pattern expressions to be evaluated as a logical OR." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + operator: + description: "The binary operator to be applied to the content fetched from the authorization JSON, for comparison with \"value\".\nPossible values are: \"eq\" (equal to), \"neq\" (not equal to), \"incl\" (includes; for arrays), \"excl\" (excludes; for arrays), \"matches\" (regex)" + enum: + - "eq" + - "neq" + - "incl" + - "excl" + - "matches" + type: "string" + patternRef: + description: "Reference to a named set of pattern expressions" + type: "string" + selector: + description: "Path selector to fetch content from the authorization JSON (e.g. 'request.method').\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nAuthorino custom JSON path modifiers are also supported." + type: "string" + value: + description: "The value of reference for the comparison with the content fetched from the authorization JSON.\nIf used with the \"matches\" operator, the value must compile to a valid Golang regex." + type: "string" + type: "object" + type: "array" + type: "object" + description: "Metadata sources.\nAuthorino fetches auth metadata as JSON from sources specified in this config." + type: "object" + response: + description: "Response items.\nAuthorino builds custom responses to the client of the auth request." + properties: + success: + description: "Response items to be included in the auth response when the request is authenticated and authorized.\nFor integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request." + properties: + dynamicMetadata: + additionalProperties: + description: "Settings of the success custom response item." + properties: + cache: + description: "Caching options for the resolved object returned when applying this config.\nOmit it to avoid caching objects for this config." + properties: + key: + description: "Key used to store the entry in the cache.\nThe resolved key must be unique within the scope of this particular config." + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + ttl: + default: 60 + description: "Duration (in seconds) of the external data in the cache before pulled again from the source." + type: "integer" + required: + - "key" + type: "object" + json: + description: "JSON object\nSpecify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON." + properties: + properties: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + type: "object" + required: + - "properties" + type: "object" + key: + description: "The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object).\nIf omitted, it will be set to the name of the response config." + type: "string" + metrics: + default: false + description: "Whether this config should generate individual observability metrics" + type: "boolean" + plain: + description: "Plain text content" + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + priority: + default: 0 + description: "Priority group of the config.\nAll configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially." + type: "integer" + when: + description: "Conditions for Authorino to enforce this config.\nIf omitted, the config will be enforced for all requests.\nIf present, all conditions must match for the config to be enforced; otherwise, the config will be skipped." + items: + properties: + all: + description: "A list of pattern expressions to be evaluated as a logical AND." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + any: + description: "A list of pattern expressions to be evaluated as a logical OR." + items: + type: "object" + x-kubernetes-preserve-unknown-fields: true + type: "array" + operator: + description: "The binary operator to be applied to the content fetched from the authorization JSON, for comparison with \"value\".\nPossible values are: \"eq\" (equal to), \"neq\" (not equal to), \"incl\" (includes; for arrays), \"excl\" (excludes; for arrays), \"matches\" (regex)" + enum: + - "eq" + - "neq" + - "incl" + - "excl" + - "matches" + type: "string" + patternRef: + description: "Reference to a named set of pattern expressions" + type: "string" + selector: + description: "Path selector to fetch content from the authorization JSON (e.g. 'request.method').\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nAuthorino custom JSON path modifiers are also supported." + type: "string" + value: + description: "The value of reference for the comparison with the content fetched from the authorization JSON.\nIf used with the \"matches\" operator, the value must compile to a valid Golang regex." + type: "string" + type: "object" + type: "array" + wristband: + description: "Authorino Festival Wristband token" + properties: + customClaims: + additionalProperties: + properties: + selector: + description: "Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. \"Hello, {auth.identity.name}!\").\nAny pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.\nThe following Authorino custom modifiers are supported: @extract:{sep:\" \",pos:0}, @replace{old:\"\",new:\"\"}, @case:upper|lower, @base64:encode|decode and @strip." + type: "string" + value: + description: "Static value" + x-kubernetes-preserve-unknown-fields: true + type: "object" + description: "Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default." + type: "object" + issuer: + description: "The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /://:/, where = /://:/, where = /://:/, where = /://:/, where = /://:/, where = /`, for example:\n - localhost\n - my.host.com\n - 123.42.12.32\nUse only when a proxy configuration is required. The Operator respects OpenShift cluster-wide proxy configuration,\ndefining `nonProxyHosts` in a custom resource leads to merging non-proxy hosts lists from the cluster proxy configuration, and the ones defined in the custom resources.\nSee the following page: https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html." + description: "A list of hosts that can be reached directly, bypassing the proxy.\nSpecify wild card domain use the following form `.`, for example:\n - localhost\n - 127.0.0.1\n - my.host.com\n - 123.42.12.32\nUse only when a proxy configuration is required. The Operator respects OpenShift cluster-wide proxy configuration,\ndefining `nonProxyHosts` in a custom resource leads to merging non-proxy hosts lists from the cluster proxy configuration, and the ones defined in the custom resources.\nSee the following page: https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html.\nIn some proxy configurations, localhost may not translate to 127.0.0.1. Both localhost and 127.0.0.1 should be specified in this situation." items: type: "string" type: "array" @@ -2589,6 +2589,9 @@ spec: trustedCerts: description: "Trusted certificate settings." properties: + disableWorkspaceCaBundleMount: + description: "By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap\ncontaining the CA certificate bundle in users' workspaces at two locations:\n'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.\nThe '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates\nfor trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).\nThis option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory\nwhile still mounting it to '/public-certs'." + type: "boolean" gitTrustedCertsConfigMapName: description: "The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.\nSee the following page: https://www.eclipse.org/che/docs/stable/administration-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/\nThe ConfigMap must have a `app.kubernetes.io/part-of=che.eclipse.org` label." type: "string" diff --git a/crd-catalog/emqx/emqx-operator/apps.emqx.io/v2beta1/emqxes.yaml b/crd-catalog/emqx/emqx-operator/apps.emqx.io/v2beta1/emqxes.yaml index 0799ba703..28aae2dcd 100644 --- a/crd-catalog/emqx/emqx-operator/apps.emqx.io/v2beta1/emqxes.yaml +++ b/crd-catalog/emqx/emqx-operator/apps.emqx.io/v2beta1/emqxes.yaml @@ -7005,7 +7005,7 @@ spec: updateRevision: type: "string" type: "object" - nodEvacuationsStatus: + nodeEvacuationsStatus: items: properties: connection_eviction_rate: diff --git a/crd-catalog/flanksource/canary-checker/canaries.flanksource.com/v1/canaries.yaml b/crd-catalog/flanksource/canary-checker/canaries.flanksource.com/v1/canaries.yaml index 452dee399..8cbfa9f07 100644 --- a/crd-catalog/flanksource/canary-checker/canaries.flanksource.com/v1/canaries.yaml +++ b/crd-catalog/flanksource/canary-checker/canaries.flanksource.com/v1/canaries.yaml @@ -107,8 +107,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -467,8 +475,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -840,8 +856,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -1163,8 +1187,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -1449,8 +1481,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -1773,8 +1813,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -2168,8 +2216,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -2363,8 +2419,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -2635,8 +2699,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -2853,8 +2925,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true minrecords: type: "integer" name: @@ -3151,8 +3231,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -3431,8 +3519,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -3680,8 +3776,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -3912,8 +4016,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -4750,8 +4862,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -5206,8 +5326,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true minAge: description: "MinAge the latest object should be older than defined age" type: "string" @@ -5640,8 +5768,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -5995,8 +6131,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -6302,8 +6446,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -6610,8 +6762,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -7093,8 +7253,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -7344,8 +7512,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -7576,8 +7752,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -7863,8 +8047,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -8173,8 +8365,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -8417,8 +8617,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -8702,8 +8910,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -8833,8 +9049,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -9151,8 +9375,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -9481,8 +9713,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -9715,8 +9955,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -10050,8 +10298,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -10273,8 +10529,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -10636,8 +10900,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -11181,8 +11453,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -11519,8 +11799,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -11855,8 +12143,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -12147,8 +12443,16 @@ spec: metrics: description: "Metrics to expose from check.\nhttps://canarychecker.io/concepts/metrics-exporter" items: + additionalProperties: true + properties: + labels: + items: + additionalProperties: true + type: "object" + type: "array" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" @@ -12374,6 +12678,7 @@ spec: type: "string" type: "object" type: "array" + x-kubernetes-preserve-unknown-fields: true name: description: "Name of the check" type: "string" diff --git a/crd-catalog/grafana-operator/grafana-operator/grafana.integreatly.org/v1beta1/grafanadashboards.yaml b/crd-catalog/grafana-operator/grafana-operator/grafana.integreatly.org/v1beta1/grafanadashboards.yaml index 8c16885f6..5909b5c3e 100644 --- a/crd-catalog/grafana-operator/grafana-operator/grafana.integreatly.org/v1beta1/grafanadashboards.yaml +++ b/crd-catalog/grafana-operator/grafana-operator/grafana.integreatly.org/v1beta1/grafanadashboards.yaml @@ -125,7 +125,7 @@ spec: name: type: "string" value: - description: "Inline evn value" + description: "Inline env value" type: "string" valueFrom: description: "Reference on value source, might be the reference on a secret or config map" @@ -269,6 +269,12 @@ spec: format: "duration" pattern: "^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$" type: "string" + uid: + description: "Manually specify the uid for the dashboard, overwrites uids already present in the json model" + type: "string" + x-kubernetes-validations: + - message: "spec.uid is immutable" + rule: "self == oldSelf" url: description: "dashboard url" type: "string" @@ -321,6 +327,8 @@ spec: rule: "(has(self.folderUID) && !(has(self.folderRef))) || (has(self.folderRef) && !(has(self.folderUID))) || !(has(self.folderRef) && (has(self.folderUID)))" - message: "folder field cannot be set when folderUID or folderRef is already declared" rule: "(has(self.folder) && !(has(self.folderRef) || has(self.folderUID))) || !(has(self.folder))" + - message: "spec.uid is immutable" + rule: "((!has(oldSelf.uid) && !has(self.uid)) || (has(oldSelf.uid) && has(self.uid)))" status: description: "GrafanaDashboardStatus defines the observed state of GrafanaDashboard" properties: diff --git a/crd-catalog/grafana/loki/loki.grafana.com/v1/lokistacks.yaml b/crd-catalog/grafana/loki/loki.grafana.com/v1/lokistacks.yaml index 264ff664f..571a9aee2 100644 --- a/crd-catalog/grafana/loki/loki.grafana.com/v1/lokistacks.yaml +++ b/crd-catalog/grafana/loki/loki.grafana.com/v1/lokistacks.yaml @@ -107,90 +107,72 @@ spec: type: "integer" type: "object" otlp: - description: "OTLP to configure which resource, scope and log attributes\nto store as labels or structured metadata or drop them altogether\nfor all tenants." + description: "OTLP to configure which resource, scope and log attributes are stored as stream labels or structured metadata.\n\nTenancy modes can provide a default OTLP configuration, when no custom OTLP configuration is set or even\nenforce the use of some required attributes." properties: - indexedResourceAttributes: - description: "IndexedResourceAttributes contains the global configuration for resource attributes\nto store them as index labels." - items: - type: "string" - type: "array" - logAttributes: - description: "LogAttributes contains the configuration for log attributes\nto store them as structured metadata or drop them altogether." - items: - description: "OTLPAttributesSpec contains the configuration for a set of attributes\nto store them as index labels or structured metadata or drop them altogether." - properties: - action: - description: "Action defines the indexing action for the selected attributes. They\ncan be either added to structured metadata or drop altogether." - enum: - - "structured_metadata" - - "drop" - type: "string" - attributes: - description: "Attributes allows choosing the attributes by listing their names." - items: - type: "string" - type: "array" - regex: - description: "Regex allows choosing the attributes by matching a regular expression." - type: "string" - required: - - "action" - type: "object" - type: "array" - resourceAttributes: - description: "ResourceAttributes contains the configuration for resource attributes\nto store them as index labels or structured metadata or drop them altogether." + streamLabels: + description: "StreamLabels configures which resource attributes are converted to Loki stream labels." properties: - attributes: - description: "Attributes contains the configuration for resource attributes\nto store them as index labels or structured metadata or drop them altogether." + resourceAttributes: + description: "ResourceAttributes lists the names of the resource attributes that should be converted into Loki stream labels." items: - description: "OTLPResourceAttributesConfigSpec contains the configuration for a set of resource attributes\nto store them as index labels or structured metadata or drop them altogether." properties: - action: - description: "Action defines the indexing action for the selected resoure attributes. They\ncan be either indexed as labels, added to structured metadata or drop altogether." - enum: - - "index_label" - - "structured_metadata" - - "drop" + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." type: "string" - attributes: - description: "Attributes is the list of attributes to configure indexing or drop them\naltogether." - items: - type: "string" - type: "array" regex: - description: "Regex allows choosing the attributes by matching a regular expression." + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" + required: + - "name" + type: "object" + type: "array" + type: "object" + structuredMetadata: + description: "StructuredMetadata configures which attributes are saved in structured metadata." + properties: + logAttributes: + description: "LogAttributes lists the names of log attributes that should be included in structured metadata." + items: + properties: + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." type: "string" + regex: + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" required: - - "action" + - "name" + type: "object" + type: "array" + resourceAttributes: + description: "ResourceAttributes lists the names of resource attributes that should be included in structured metadata." + items: + properties: + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." + type: "string" + regex: + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" + required: + - "name" + type: "object" + type: "array" + scopeAttributes: + description: "ScopeAttributes lists the names of scope attributes that should be included in structured metadata." + items: + properties: + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." + type: "string" + regex: + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" + required: + - "name" type: "object" type: "array" - ignoreDefaults: - description: "IgnoreDefaults controls whether to ignore the global configuration for resource attributes\nindexed as labels.\n\nIf IgnoreDefaults is true, then this spec needs to contain at least one mapping to a index label." - type: "boolean" type: "object" - scopeAttributes: - description: "ScopeAttributes contains the configuration for scope attributes\nto store them as structured metadata or drop them altogether." - items: - description: "OTLPAttributesSpec contains the configuration for a set of attributes\nto store them as index labels or structured metadata or drop them altogether." - properties: - action: - description: "Action defines the indexing action for the selected attributes. They\ncan be either added to structured metadata or drop altogether." - enum: - - "structured_metadata" - - "drop" - type: "string" - attributes: - description: "Attributes allows choosing the attributes by listing their names." - items: - type: "string" - type: "array" - regex: - description: "Regex allows choosing the attributes by matching a regular expression." - type: "string" - required: - - "action" - type: "object" - type: "array" type: "object" queries: description: "QueryLimits defines the limit applied on querying log streams." @@ -255,7 +237,7 @@ spec: type: "object" tenants: additionalProperties: - description: "LimitsTemplateSpec defines the limits applied at ingestion or query path." + description: "PerTenantLimitsTemplateSpec defines the limits applied at ingestion or query path." properties: ingestion: description: "IngestionLimits defines the limits applied on ingested log streams." @@ -302,85 +284,72 @@ spec: type: "integer" type: "object" otlp: - description: "OTLP to configure which resource, scope and log attributes\nto store as labels or structured metadata or drop them altogether\nfor a single tenants." + description: "OTLP to configure which resource, scope and log attributes are stored as stream labels or structured metadata.\n\nTenancy modes can provide a default OTLP configuration, when no custom OTLP configuration is set or even\nenforce the use of some required attributes.\n\nThe per-tenant configuration for OTLP attributes will be merged with the global configuration." properties: - logAttributes: - description: "LogAttributes contains the configuration for log attributes\nto store them as structured metadata or drop them altogether." - items: - description: "OTLPAttributesSpec contains the configuration for a set of attributes\nto store them as index labels or structured metadata or drop them altogether." - properties: - action: - description: "Action defines the indexing action for the selected attributes. They\ncan be either added to structured metadata or drop altogether." - enum: - - "structured_metadata" - - "drop" - type: "string" - attributes: - description: "Attributes allows choosing the attributes by listing their names." - items: - type: "string" - type: "array" - regex: - description: "Regex allows choosing the attributes by matching a regular expression." - type: "string" - required: - - "action" - type: "object" - type: "array" - resourceAttributes: - description: "ResourceAttributes contains the configuration for resource attributes\nto store them as index labels or structured metadata or drop them altogether." + streamLabels: + description: "StreamLabels configures which resource attributes are converted to Loki stream labels." properties: - attributes: - description: "Attributes contains the configuration for resource attributes\nto store them as index labels or structured metadata or drop them altogether." + resourceAttributes: + description: "ResourceAttributes lists the names of the resource attributes that should be converted into Loki stream labels." items: - description: "OTLPResourceAttributesConfigSpec contains the configuration for a set of resource attributes\nto store them as index labels or structured metadata or drop them altogether." properties: - action: - description: "Action defines the indexing action for the selected resoure attributes. They\ncan be either indexed as labels, added to structured metadata or drop altogether." - enum: - - "index_label" - - "structured_metadata" - - "drop" + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." type: "string" - attributes: - description: "Attributes is the list of attributes to configure indexing or drop them\naltogether." - items: - type: "string" - type: "array" regex: - description: "Regex allows choosing the attributes by matching a regular expression." + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" + required: + - "name" + type: "object" + type: "array" + type: "object" + structuredMetadata: + description: "StructuredMetadata configures which attributes are saved in structured metadata." + properties: + logAttributes: + description: "LogAttributes lists the names of log attributes that should be included in structured metadata." + items: + properties: + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." type: "string" + regex: + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" required: - - "action" + - "name" + type: "object" + type: "array" + resourceAttributes: + description: "ResourceAttributes lists the names of resource attributes that should be included in structured metadata." + items: + properties: + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." + type: "string" + regex: + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" + required: + - "name" + type: "object" + type: "array" + scopeAttributes: + description: "ScopeAttributes lists the names of scope attributes that should be included in structured metadata." + items: + properties: + name: + description: "Name contains either a verbatim name of an attribute or a regular expression matching many attributes." + type: "string" + regex: + description: "If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name." + type: "boolean" + required: + - "name" type: "object" type: "array" - ignoreDefaults: - description: "IgnoreDefaults controls whether to ignore the global configuration for resource attributes\nindexed as labels.\n\nIf IgnoreDefaults is true, then this spec needs to contain at least one mapping to a index label." - type: "boolean" type: "object" - scopeAttributes: - description: "ScopeAttributes contains the configuration for scope attributes\nto store them as structured metadata or drop them altogether." - items: - description: "OTLPAttributesSpec contains the configuration for a set of attributes\nto store them as index labels or structured metadata or drop them altogether." - properties: - action: - description: "Action defines the indexing action for the selected attributes. They\ncan be either added to structured metadata or drop altogether." - enum: - - "structured_metadata" - - "drop" - type: "string" - attributes: - description: "Attributes allows choosing the attributes by listing their names." - items: - type: "string" - type: "array" - regex: - description: "Regex allows choosing the attributes by matching a regular expression." - type: "string" - required: - - "action" - type: "object" - type: "array" type: "object" queries: description: "QueryLimits defines the limit applied on querying log streams." @@ -600,6 +569,7 @@ spec: description: "Size defines one of the support Loki deployment scale out sizes." enum: - "1x.demo" + - "1x.pico" - "1x.extra-small" - "1x.small" - "1x.medium" @@ -2523,6 +2493,13 @@ spec: items: type: "string" type: "array" + otlp: + description: "OTLP contains settings for ingesting data using OTLP in the OpenShift tenancy mode." + properties: + disableRecommendedAttributes: + description: "DisableRecommendedAttributes can be used to reduce the number of attributes used for stream labels and structured\nmetadata.\n\nEnabling this setting removes the \"recommended attributes\" from the generated Loki configuration. This will cause\nmeta information to not be available as stream labels or structured metadata, potentially making queries more\nexpensive and less performant.\n\nNote that there is a set of \"required attributes\", needed for OpenShift Logging to work properly. Those will be\nadded to the configuration, even if this field is set to true.\n\nThis option is supposed to be combined with a custom label configuration customizing the labels for the specific\nusecase." + type: "boolean" + type: "object" type: "object" required: - "mode" diff --git a/crd-catalog/grafana/tempo-operator/tempo.grafana.com/v1alpha1/tempostacks.yaml b/crd-catalog/grafana/tempo-operator/tempo.grafana.com/v1alpha1/tempostacks.yaml index 3a2e56364..d019c6e09 100644 --- a/crd-catalog/grafana/tempo-operator/tempo.grafana.com/v1alpha1/tempostacks.yaml +++ b/crd-catalog/grafana/tempo-operator/tempo.grafana.com/v1alpha1/tempostacks.yaml @@ -60,6 +60,12 @@ spec: enableIPv6: description: "EnableIPv6 enables IPv6 support for the memberlist based hash ring." type: "boolean" + instanceAddrType: + description: "InstanceAddrType defines the type of address to use to advertise to the ring.\nDefaults to the first address from any private network interfaces of the current pod.\nAlternatively the public pod IP can be used in case private networks (RFC 1918 and RFC 6598)\nare not available." + enum: + - "default" + - "podIP" + type: "string" type: "object" type: "object" images: diff --git a/crd-catalog/gravitational/teleport/resources.teleport.dev/v5/teleportroles.yaml b/crd-catalog/gravitational/teleport/resources.teleport.dev/v5/teleportroles.yaml index 20c2a233e..bb837ed2c 100644 --- a/crd-catalog/gravitational/teleport/resources.teleport.dev/v5/teleportroles.yaml +++ b/crd-catalog/gravitational/teleport/resources.teleport.dev/v5/teleportroles.yaml @@ -30,6 +30,16 @@ spec: allow: description: "Allow is the set of conditions evaluated to grant access." properties: + account_assignments: + description: "AccountAssignments holds the list of account assignments affected by this condition." + items: + properties: + account: + type: "string" + permission_set: + type: "string" + type: "object" + type: "array" app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -208,7 +218,7 @@ spec: items: properties: kind: - description: "Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported." + description: "Kind specifies the Kubernetes Resource type." type: "string" name: description: "Name is the resource name. It supports wildcards." @@ -452,6 +462,16 @@ spec: deny: description: "Deny is the set of conditions evaluated to deny access. Deny takes priority over allow." properties: + account_assignments: + description: "AccountAssignments holds the list of account assignments affected by this condition." + items: + properties: + account: + type: "string" + permission_set: + type: "string" + type: "object" + type: "array" app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -630,7 +650,7 @@ spec: items: properties: kind: - description: "Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported." + description: "Kind specifies the Kubernetes Resource type." type: "string" name: description: "Name is the resource name. It supports wildcards." diff --git a/crd-catalog/gravitational/teleport/resources.teleport.dev/v6/teleportroles.yaml b/crd-catalog/gravitational/teleport/resources.teleport.dev/v6/teleportroles.yaml index 6a626d5a5..3efd1ec01 100644 --- a/crd-catalog/gravitational/teleport/resources.teleport.dev/v6/teleportroles.yaml +++ b/crd-catalog/gravitational/teleport/resources.teleport.dev/v6/teleportroles.yaml @@ -30,6 +30,16 @@ spec: allow: description: "Allow is the set of conditions evaluated to grant access." properties: + account_assignments: + description: "AccountAssignments holds the list of account assignments affected by this condition." + items: + properties: + account: + type: "string" + permission_set: + type: "string" + type: "object" + type: "array" app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -208,7 +218,7 @@ spec: items: properties: kind: - description: "Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported." + description: "Kind specifies the Kubernetes Resource type." type: "string" name: description: "Name is the resource name. It supports wildcards." @@ -452,6 +462,16 @@ spec: deny: description: "Deny is the set of conditions evaluated to deny access. Deny takes priority over allow." properties: + account_assignments: + description: "AccountAssignments holds the list of account assignments affected by this condition." + items: + properties: + account: + type: "string" + permission_set: + type: "string" + type: "object" + type: "array" app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -630,7 +650,7 @@ spec: items: properties: kind: - description: "Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported." + description: "Kind specifies the Kubernetes Resource type." type: "string" name: description: "Name is the resource name. It supports wildcards." diff --git a/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/agentpools.yaml b/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/agentpools.yaml index 474de6d37..cae335664 100644 --- a/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/agentpools.yaml +++ b/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/agentpools.yaml @@ -32,6 +32,16 @@ spec: agentDeployment: description: "Agent deployment settings" properties: + annotations: + additionalProperties: + type: "string" + description: "Annotations that will be applied to the pod template in the deployment." + type: "object" + labels: + additionalProperties: + type: "string" + description: "Labels that will be applied to the pod template in the deployment." + type: "object" replicas: format: "int32" type: "integer" diff --git a/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/workspaces.yaml b/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/workspaces.yaml index 2dc058aea..f1a7e5c0a 100644 --- a/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/workspaces.yaml +++ b/crd-catalog/hashicorp/terraform-cloud-operator/app.terraform.io/v1alpha2/workspaces.yaml @@ -535,6 +535,9 @@ spec: description: "Current(both active and finished) HCP Terraform run status." type: "string" type: "object" + sshKeyID: + description: "SSH Key ID." + type: "string" terraformVersion: description: "Workspace Terraform version." pattern: "^\\d{1}\\.\\d{1,2}\\.\\d{1,2}$" diff --git a/crd-catalog/k8ssandra/cass-operator/cassandra.datastax.com/v1beta1/cassandradatacenters.yaml b/crd-catalog/k8ssandra/cass-operator/cassandra.datastax.com/v1beta1/cassandradatacenters.yaml index 5949d40a1..b6de2b514 100644 --- a/crd-catalog/k8ssandra/cass-operator/cassandra.datastax.com/v1beta1/cassandradatacenters.yaml +++ b/crd-catalog/k8ssandra/cass-operator/cassandra.datastax.com/v1beta1/cassandradatacenters.yaml @@ -224,7 +224,7 @@ spec: description: "ConfigSecret is the name of a secret that contains configuration for Cassandra. The\nsecret is expected to have a property named config whose value should be a JSON\nformatted string that should look like this:\n\n\n config: |-\n {\n \"cassandra-yaml\": {\n \"read_request_timeout_in_ms\": 10000\n },\n \"jmv-options\": {\n \"max_heap_size\": 1024M\n }\n }\n\n\nConfigSecret is mutually exclusive with Config. ConfigSecret takes precedence and\nwill be used exclusively if both properties are set. The operator sets a watch such\nthat an update to the secret will trigger an update of the StatefulSets." type: "string" datacenterName: - description: "DatacenterName allows to override the name of the Cassandra datacenter. Kubernetes objects will be named after a sanitized version of it if set, and if not metadata.name. In Cassandra the DC name will be overridden by this value.\nIt may generate some confusion as objects created for the DC will have a different name than the CasandraDatacenter object itself.\nThis setting can create conflicts if multiple DCs coexist in the same namespace if metadata.name for a DC with no override is set to the same value as the override name of another DC.\nUse cautiously." + description: "DatacenterName allows to override the name of the Cassandra datacenter. In Cassandra the DC name will be overridden by this value.\nThis setting can create conflicts if multiple DCs coexist in the same namespace if metadata.name for a DC with no override is set to the same value as the override name of another DC.\nUse cautiously." type: "string" disableSystemLoggerSidecar: description: "Configuration for disabling the simple log tailing sidecar container. Our default is to have it enabled." @@ -6733,6 +6733,9 @@ spec: description: "The timestamp when the operator last started a Server node\nwith the management API" format: "date-time" type: "string" + metadataVersion: + format: "int64" + type: "integer" nodeReplacements: items: type: "string" diff --git a/crd-catalog/kubeedge/kubeedge/devices.kubeedge.io/v1beta1/devices.yaml b/crd-catalog/kubeedge/kubeedge/devices.kubeedge.io/v1beta1/devices.yaml index 7505c9906..903f98227 100644 --- a/crd-catalog/kubeedge/kubeedge/devices.kubeedge.io/v1beta1/devices.yaml +++ b/crd-catalog/kubeedge/kubeedge/devices.kubeedge.io/v1beta1/devices.yaml @@ -200,6 +200,13 @@ spec: description: "publish topic for mqtt" type: "string" type: "object" + otel: + description: "OTEL Push Method configuration for otel" + properties: + endpointURL: + description: "the target endpoint URL the Exporter will connect to, like https://localhost:4318/v1/metrics" + type: "string" + type: "object" type: "object" reportCycle: description: "Define how frequent mapper will report the value." @@ -239,6 +246,13 @@ spec: lastOnlineTime: description: "Optional: The last time the device was online." type: "string" + reportCycle: + description: "Optional: Define how frequent mapper will report the device status." + format: "int64" + type: "integer" + reportToCloud: + description: "Optional: whether be reported to the cloud" + type: "boolean" state: description: "Optional: The state of the device." type: "string" diff --git a/crd-catalog/kubeedge/kubeedge/operations.kubeedge.io/v1alpha1/nodeupgradejobs.yaml b/crd-catalog/kubeedge/kubeedge/operations.kubeedge.io/v1alpha1/nodeupgradejobs.yaml index e34af7879..92f86ce7a 100644 --- a/crd-catalog/kubeedge/kubeedge/operations.kubeedge.io/v1alpha1/nodeupgradejobs.yaml +++ b/crd-catalog/kubeedge/kubeedge/operations.kubeedge.io/v1alpha1/nodeupgradejobs.yaml @@ -44,6 +44,24 @@ spec: image: description: "Image specifies a container image name, the image contains: keadm and edgecore. keadm is used as upgradetool, to install the new version of edgecore. The image name consists of registry hostname and repository name, if it includes the tag or digest, the tag or digest will be overwritten by Version field above. If the registry hostname is empty, docker.io will be used as default. The default image name is: kubeedge/installation-package." type: "string" + imageDigestGatter: + description: "ImageDigestGatter define registry v2 interface access configuration. As a transition, it is not required at first, and the image digest is checked when this field is set." + properties: + registryAPI: + description: "RegistryAPI define registry v2 interface access configuration" + properties: + host: + type: "string" + token: + type: "string" + required: + - "host" + - "token" + type: "object" + value: + description: "Value used to directly set a value to check image" + type: "string" + type: "object" labelSelector: description: "LabelSelector is a filter to select member clusters by labels. It must match a node's labels for the NodeUpgradeJob to be operated on that node. Please note that sets of NodeNames and LabelSelector are ORed. Users must set one and can only set one." properties: @@ -79,6 +97,9 @@ spec: items: type: "string" type: "array" + requireConfirmation: + description: "RequireConfirmation specifies whether you need to confirm the upgrade. The default RequireConfirmation value is false." + type: "boolean" timeoutSeconds: description: "TimeoutSeconds limits the duration of the node upgrade job. Default to 300. If set to 0, we'll use the default value 300." format: "int32" diff --git a/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1alpha1/targetgroupbindings.yaml b/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1alpha1/targetgroupbindings.yaml index b2353c74d..832df5aff 100644 --- a/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1alpha1/targetgroupbindings.yaml +++ b/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1alpha1/targetgroupbindings.yaml @@ -50,6 +50,9 @@ spec: spec: description: "TargetGroupBindingSpec defines the desired state of TargetGroupBinding" properties: + multiClusterTargetGroup: + description: "MultiClusterTargetGroup Denotes if the TargetGroup is shared among multiple clusters" + type: "boolean" networking: description: "networking provides the networking setup for ELBV2 LoadBalancer to access targets in TargetGroup." properties: diff --git a/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1beta1/targetgroupbindings.yaml b/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1beta1/targetgroupbindings.yaml index f53502be2..890c5af15 100644 --- a/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1beta1/targetgroupbindings.yaml +++ b/crd-catalog/kubernetes-sigs/aws-load-balancer-controller/elbv2.k8s.aws/v1beta1/targetgroupbindings.yaml @@ -56,6 +56,9 @@ spec: - "ipv4" - "ipv6" type: "string" + multiClusterTargetGroup: + description: "MultiClusterTargetGroup Denotes if the TargetGroup is shared among multiple clusters" + type: "boolean" networking: description: "networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup." properties: diff --git a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/clusters.yaml b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/clusters.yaml index ee933dddf..f8ebbc926 100644 --- a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/clusters.yaml +++ b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/clusters.yaml @@ -655,10 +655,10 @@ spec: description: "FailureDomains is a slice of failure domain objects synced from the infrastructure provider." type: "object" failureMessage: - description: "FailureMessage indicates that there is a fatal problem reconciling the\nstate, and will be set to a descriptive error message." + description: "FailureMessage indicates that there is a fatal problem reconciling the\nstate, and will be set to a descriptive error message.\n\nDeprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" failureReason: - description: "FailureReason indicates that there is a fatal problem reconciling the\nstate, and will be set to a token value suitable for\nprogrammatic interpretation." + description: "FailureReason indicates that there is a fatal problem reconciling the\nstate, and will be set to a token value suitable for\nprogrammatic interpretation.\n\nDeprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" infrastructureReady: description: "InfrastructureReady is the state of the infrastructure provider." diff --git a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinepools.yaml b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinepools.yaml index 841fb3b5b..8fc6f6748 100644 --- a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinepools.yaml +++ b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinepools.yaml @@ -252,10 +252,10 @@ spec: type: "object" type: "array" failureMessage: - description: "FailureMessage indicates that there is a problem reconciling the state,\nand will be set to a descriptive error message." + description: "FailureMessage indicates that there is a problem reconciling the state,\nand will be set to a descriptive error message.\n\nDeprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" failureReason: - description: "FailureReason indicates that there is a problem reconciling the state, and\nwill be set to a token value suitable for programmatic interpretation." + description: "FailureReason indicates that there is a problem reconciling the state, and\nwill be set to a token value suitable for programmatic interpretation.\n\nDeprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" infrastructureReady: description: "InfrastructureReady is the state of the infrastructure provider." diff --git a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machines.yaml b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machines.yaml index e48d2694f..08db1ac00 100644 --- a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machines.yaml +++ b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machines.yaml @@ -232,10 +232,10 @@ spec: type: "string" type: "object" failureMessage: - description: "FailureMessage will be set in the event that there is a terminal problem\nreconciling the Machine and will contain a more verbose string suitable\nfor logging and human consumption.\n\nThis field should not be set for transitive errors that a controller\nfaces that are expected to be fixed automatically over\ntime (like service outages), but instead indicate that something is\nfundamentally wrong with the Machine's spec or the configuration of\nthe controller, and that manual intervention is required. Examples\nof terminal errors would be invalid combinations of settings in the\nspec, values that are unsupported by the controller, or the\nresponsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines\ncan be added as events to the Machine object and/or logged in the\ncontroller's output." + description: "FailureMessage will be set in the event that there is a terminal problem\nreconciling the Machine and will contain a more verbose string suitable\nfor logging and human consumption.\n\nThis field should not be set for transitive errors that a controller\nfaces that are expected to be fixed automatically over\ntime (like service outages), but instead indicate that something is\nfundamentally wrong with the Machine's spec or the configuration of\nthe controller, and that manual intervention is required. Examples\nof terminal errors would be invalid combinations of settings in the\nspec, values that are unsupported by the controller, or the\nresponsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines\ncan be added as events to the Machine object and/or logged in the\ncontroller's output.\n\nDeprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" failureReason: - description: "FailureReason will be set in the event that there is a terminal problem\nreconciling the Machine and will contain a succinct value suitable\nfor machine interpretation.\n\nThis field should not be set for transitive errors that a controller\nfaces that are expected to be fixed automatically over\ntime (like service outages), but instead indicate that something is\nfundamentally wrong with the Machine's spec or the configuration of\nthe controller, and that manual intervention is required. Examples\nof terminal errors would be invalid combinations of settings in the\nspec, values that are unsupported by the controller, or the\nresponsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines\ncan be added as events to the Machine object and/or logged in the\ncontroller's output." + description: "FailureReason will be set in the event that there is a terminal problem\nreconciling the Machine and will contain a succinct value suitable\nfor machine interpretation.\n\nThis field should not be set for transitive errors that a controller\nfaces that are expected to be fixed automatically over\ntime (like service outages), but instead indicate that something is\nfundamentally wrong with the Machine's spec or the configuration of\nthe controller, and that manual intervention is required. Examples\nof terminal errors would be invalid combinations of settings in the\nspec, values that are unsupported by the controller, or the\nresponsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines\ncan be added as events to the Machine object and/or logged in the\ncontroller's output.\n\nDeprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" infrastructureReady: description: "InfrastructureReady is the state of the infrastructure provider." diff --git a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinesets.yaml b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinesets.yaml index efa773395..dc896a4ff 100644 --- a/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinesets.yaml +++ b/crd-catalog/kubernetes-sigs/cluster-api/cluster.x-k8s.io/v1beta1/machinesets.yaml @@ -283,9 +283,10 @@ spec: type: "object" type: "array" failureMessage: + description: "Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" failureReason: - description: "In the event that there is a terminal problem reconciling the\nreplicas, both FailureReason and FailureMessage will be set. FailureReason\nwill be populated with a succinct value suitable for machine\ninterpretation, while FailureMessage will contain a more verbose\nstring suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a\ncontroller faces that are expected to be fixed automatically over\ntime (like service outages), but instead indicate that something is\nfundamentally wrong with the MachineTemplate's spec or the configuration of\nthe machine controller, and that manual intervention is required. Examples\nof terminal errors would be invalid combinations of settings in the\nspec, values that are unsupported by the machine controller, or the\nresponsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines\ncan be added as events to the MachineSet object and/or logged in the\ncontroller's output." + description: "In the event that there is a terminal problem reconciling the\nreplicas, both FailureReason and FailureMessage will be set. FailureReason\nwill be populated with a succinct value suitable for machine\ninterpretation, while FailureMessage will contain a more verbose\nstring suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a\ncontroller faces that are expected to be fixed automatically over\ntime (like service outages), but instead indicate that something is\nfundamentally wrong with the MachineTemplate's spec or the configuration of\nthe machine controller, and that manual intervention is required. Examples\nof terminal errors would be invalid combinations of settings in the\nspec, values that are unsupported by the machine controller, or the\nresponsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines\ncan be added as events to the MachineSet object and/or logged in the\ncontroller's output.\n\nDeprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details." type: "string" fullyLabeledReplicas: description: "The number of replicas that have labels matching the labels of the machine template of the MachineSet." diff --git a/crd-catalog/kubernetes-sigs/jobset/jobset.x-k8s.io/v1alpha2/jobsets.yaml b/crd-catalog/kubernetes-sigs/jobset/jobset.x-k8s.io/v1alpha2/jobsets.yaml index 89b813f4f..70d420993 100644 --- a/crd-catalog/kubernetes-sigs/jobset/jobset.x-k8s.io/v1alpha2/jobsets.yaml +++ b/crd-catalog/kubernetes-sigs/jobset/jobset.x-k8s.io/v1alpha2/jobsets.yaml @@ -71,6 +71,13 @@ spec: description: "MaxRestarts defines the limit on the number of JobSet restarts.\nA restart is achieved by recreating all active child jobs." format: "int32" type: "integer" + restartStrategy: + default: "Recreate" + description: "RestartStrategy defines the strategy to use when restarting the JobSet.\nDefaults to Recreate." + enum: + - "Recreate" + - "BlockingRecreate" + type: "string" rules: description: "List of failure policy rules for this JobSet.\nFor a given Job failure, the rules will be evaluated in order,\nand only the first matching rule will be executed.\nIf no matching rule is found, the RestartJobSet action is applied." items: diff --git a/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/clusterqueues.yaml b/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/clusterqueues.yaml index 77224944b..54a198b0a 100644 --- a/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/clusterqueues.yaml +++ b/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/clusterqueues.yaml @@ -170,7 +170,7 @@ spec: type: "object" reclaimWithinCohort: default: "Never" - description: "reclaimWithinCohort determines whether a pending Workload can preempt\nWorkloads from other ClusterQueues in the cohort that are using more than\ntheir nominal quota. The possible values are:\n\n- `Never` (default): do not preempt Workloads in the cohort.\n- `LowerPriority`: if the pending Workload fits within the nominal\n quota of its ClusterQueue, only preempt Workloads in the cohort that have\n lower priority than the pending Workload.\n- `Any`: if the pending Workload fits within the nominal quota of its\n ClusterQueue, preempt any Workload in the cohort, irrespective of\n priority." + description: "reclaimWithinCohort determines whether a pending Workload can preempt\nWorkloads from other ClusterQueues in the cohort that are using more than\ntheir nominal quota. The possible values are:\n\n- `Never` (default): do not preempt Workloads in the cohort.\n- `LowerPriority`: **Classic Preemption** if the pending Workload\n fits within the nominal quota of its ClusterQueue, only preempt\n Workloads in the cohort that have lower priority than the pending\n Workload. **Fair Sharing** only preempt Workloads in the cohort that\n have lower priority than the pending Workload and that satisfy the\n fair sharing preemptionStategies.\n- `Any`: **Classic Preemption** if the pending Workload fits within\n the nominal quota of its ClusterQueue, preempt any Workload in the\n cohort, irrespective of priority. **Fair Sharing** preempt Workloads\n in the cohort that satisfy the fair sharing preemptionStrategies." enum: - "Never" - "LowerPriority" diff --git a/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/localqueues.yaml b/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/localqueues.yaml index a660e9273..ce6d0cf61 100644 --- a/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/localqueues.yaml +++ b/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/localqueues.yaml @@ -157,6 +157,63 @@ spec: x-kubernetes-list-map-keys: - "name" x-kubernetes-list-type: "map" + flavors: + description: "flavors lists all currently available ResourceFlavors in specified ClusterQueue." + items: + properties: + name: + description: "name of the flavor." + maxLength: 253 + pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + type: "string" + nodeLabels: + additionalProperties: + type: "string" + description: "nodeLabels are labels that associate the ResourceFlavor with Nodes that\nhave the same labels." + maxProperties: 8 + type: "object" + x-kubernetes-map-type: "atomic" + nodeTaints: + description: "nodeTaints are taints that the nodes associated with this ResourceFlavor\nhave." + items: + description: "The node this Taint is attached to has the \"effect\" on\nany pod that does not tolerate the Taint." + properties: + effect: + description: "Required. The effect of the taint on pods\nthat do not tolerate the taint.\nValid effects are NoSchedule, PreferNoSchedule and NoExecute." + type: "string" + key: + description: "Required. The taint key to be applied to a node." + type: "string" + timeAdded: + description: "TimeAdded represents the time at which the taint was added.\nIt is only written for NoExecute taints." + format: "date-time" + type: "string" + value: + description: "The taint value corresponding to the taint key." + type: "string" + required: + - "effect" + - "key" + type: "object" + maxItems: 8 + type: "array" + x-kubernetes-list-type: "atomic" + resources: + description: "resources used in the flavor." + items: + description: "ResourceName is the name identifying various resources in a ResourceList." + type: "string" + maxItems: 16 + type: "array" + x-kubernetes-list-type: "set" + required: + - "name" + type: "object" + maxItems: 16 + type: "array" + x-kubernetes-list-map-keys: + - "name" + x-kubernetes-list-type: "map" flavorsReservation: description: "flavorsReservation are the reserved quotas, by flavor currently in use by the\nworkloads assigned to this LocalQueue." items: diff --git a/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/workloads.yaml b/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/workloads.yaml index 8f50da978..9ce337046 100644 --- a/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/workloads.yaml +++ b/crd-catalog/kubernetes-sigs/kueue/kueue.x-k8s.io/v1beta1/workloads.yaml @@ -56,6 +56,11 @@ spec: default: true description: "Active determines if a workload can be admitted into a queue.\nChanging active from true to false will evict any running workloads.\nPossible values are:\n\n - false: indicates that a workload should never be admitted and evicts running workloads\n - true: indicates that a workload can be evaluated for admission into it's respective queue.\n\nDefaults to true" type: "boolean" + maximumExecutionTimeSeconds: + description: "maximumExecutionTimeSeconds if provided, determines the maximum time, in seconds,\nthe workload can be admitted before it's automatically deactivated.\n\nIf unspecified, no execution time limit is enforced on the Workload." + format: "int32" + minimum: 1.0 + type: "integer" podSets: description: "podSets is a list of sets of homogeneous pods, each described by a Pod spec\nand a count.\nThere must be at least one element and at most 8.\npodSets cannot be changed." items: @@ -5163,6 +5168,8 @@ spec: rule: "(has(oldSelf.status) && has(oldSelf.status.conditions) && oldSelf.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True') && has(oldSelf.spec.priorityClassName) && has(self.spec.priorityClassName)) ? (oldSelf.spec.priorityClassName == self.spec.priorityClassName) : true" - message: "field is immutable" rule: "(has(oldSelf.status) && has(oldSelf.status.conditions) && oldSelf.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True')) && (has(self.status) && has(self.status.conditions) && self.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True')) && has(oldSelf.spec.queueName) && has(self.spec.queueName) ? oldSelf.spec.queueName == self.spec.queueName : true" + - message: "maximumExecutionTimeSeconds is immutable while admitted" + rule: "((has(oldSelf.status) && has(oldSelf.status.conditions) && oldSelf.status.conditions.exists(c, c.type == 'Admitted' && c.status == 'True')) && (has(self.status) && has(self.status.conditions) && self.status.conditions.exists(c, c.type == 'Admitted' && c.status == 'True')))?((has(oldSelf.spec.maximumExecutionTimeSeconds)?oldSelf.spec.maximumExecutionTimeSeconds:0) == (has(self.spec.maximumExecutionTimeSeconds)?self.spec.maximumExecutionTimeSeconds:0)):true" served: true storage: true subresources: diff --git a/crd-catalog/kyverno/kyverno/kyverno.io/v2/cleanuppolicies.yaml b/crd-catalog/kyverno/kyverno/kyverno.io/v2/cleanuppolicies.yaml index 9d44a59cc..f364fa934 100644 --- a/crd-catalog/kyverno/kyverno/kyverno.io/v2/cleanuppolicies.yaml +++ b/crd-catalog/kyverno/kyverno/kyverno.io/v2/cleanuppolicies.yaml @@ -269,6 +269,13 @@ spec: - "name" type: "object" type: "array" + deletionPropagationPolicy: + description: "DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan)." + enum: + - "Foreground" + - "Background" + - "Orphan" + type: "string" exclude: description: "ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role." not: diff --git a/crd-catalog/kyverno/kyverno/kyverno.io/v2/clustercleanuppolicies.yaml b/crd-catalog/kyverno/kyverno/kyverno.io/v2/clustercleanuppolicies.yaml index 954e91338..f9d331359 100644 --- a/crd-catalog/kyverno/kyverno/kyverno.io/v2/clustercleanuppolicies.yaml +++ b/crd-catalog/kyverno/kyverno/kyverno.io/v2/clustercleanuppolicies.yaml @@ -269,6 +269,13 @@ spec: - "name" type: "object" type: "array" + deletionPropagationPolicy: + description: "DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan)." + enum: + - "Foreground" + - "Background" + - "Orphan" + type: "string" exclude: description: "ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role." not: diff --git a/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/cleanuppolicies.yaml b/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/cleanuppolicies.yaml index 2c201aa0f..06b014476 100644 --- a/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/cleanuppolicies.yaml +++ b/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/cleanuppolicies.yaml @@ -270,6 +270,13 @@ spec: - "name" type: "object" type: "array" + deletionPropagationPolicy: + description: "DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan)." + enum: + - "Foreground" + - "Background" + - "Orphan" + type: "string" exclude: description: "ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role." not: diff --git a/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/clustercleanuppolicies.yaml b/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/clustercleanuppolicies.yaml index b608753d8..172ee5c6b 100644 --- a/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/clustercleanuppolicies.yaml +++ b/crd-catalog/kyverno/kyverno/kyverno.io/v2beta1/clustercleanuppolicies.yaml @@ -270,6 +270,13 @@ spec: - "name" type: "object" type: "array" + deletionPropagationPolicy: + description: "DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan)." + enum: + - "Foreground" + - "Background" + - "Orphan" + type: "string" exclude: description: "ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role." not: diff --git a/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/backups.yaml b/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/backups.yaml index bb861e224..58126826b 100644 --- a/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/backups.yaml +++ b/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/backups.yaml @@ -497,8 +497,141 @@ spec: serviceAccountName: description: "ServiceAccountName is the name of the ServiceAccount to be used by the Pods." type: "string" + stagingStorage: + description: "StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed.\nIt defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Backup Job is scheduled.\nThe staging area gets cleaned up after each backup is completed, consider this for sizing it appropriately." + properties: + persistentVolumeClaim: + description: "PersistentVolumeClaim is a Kubernetes PVC specification." + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + resources: + description: "VolumeResourceRequirements describes the storage resource requirements for a volume." + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + type: "object" + selector: + description: "A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects." + properties: + matchExpressions: + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: + description: "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values." + properties: + key: + description: "key is the label key that the selector applies to." + type: "string" + operator: + description: "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + values: + description: "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch." + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + type: "object" + volume: + description: "Volume is a Kubernetes volume specification." + properties: + csi: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core." + properties: + driver: + type: "string" + fsType: + type: "string" + nodePublishSecretRef: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core." + properties: + name: + default: "" + type: "string" + type: "object" + readOnly: + type: "boolean" + volumeAttributes: + additionalProperties: + type: "string" + type: "object" + required: + - "driver" + type: "object" + emptyDir: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core." + properties: + medium: + description: "StorageMedium defines ways that storage can be allocated to a volume." + type: "string" + sizeLimit: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + nfs: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core." + properties: + path: + type: "string" + readOnly: + type: "boolean" + server: + type: "string" + required: + - "path" + - "server" + type: "object" + persistentVolumeClaim: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core." + properties: + claimName: + type: "string" + readOnly: + type: "boolean" + required: + - "claimName" + type: "object" + type: "object" + type: "object" storage: - description: "Storage to be used in the Backup." + description: "Storage defines the final storage for backups." properties: persistentVolumeClaim: description: "PersistentVolumeClaim is a Kubernetes PVC specification." @@ -645,16 +778,6 @@ spec: volume: description: "Volume is a Kubernetes volume specification." properties: - configMap: - description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core." - properties: - defaultMode: - format: "int32" - type: "integer" - name: - default: "" - type: "string" - type: "object" csi: description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core." properties: @@ -714,15 +837,6 @@ spec: required: - "claimName" type: "object" - secret: - description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core." - properties: - defaultMode: - format: "int32" - type: "integer" - secretName: - type: "string" - type: "object" type: "object" type: "object" successfulJobsHistoryLimit: diff --git a/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/mariadbs.yaml b/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/mariadbs.yaml index 831fcbd4d..53d11e371 100644 --- a/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/mariadbs.yaml +++ b/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/mariadbs.yaml @@ -609,6 +609,139 @@ spec: - "endpoint" - "secretAccessKeySecretKeyRef" type: "object" + stagingStorage: + description: "StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed.\nIt defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Restore Job is scheduled." + properties: + persistentVolumeClaim: + description: "PersistentVolumeClaim is a Kubernetes PVC specification." + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + resources: + description: "VolumeResourceRequirements describes the storage resource requirements for a volume." + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + type: "object" + selector: + description: "A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects." + properties: + matchExpressions: + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: + description: "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values." + properties: + key: + description: "key is the label key that the selector applies to." + type: "string" + operator: + description: "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + values: + description: "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch." + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + type: "object" + volume: + description: "Volume is a Kubernetes volume specification." + properties: + csi: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core." + properties: + driver: + type: "string" + fsType: + type: "string" + nodePublishSecretRef: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core." + properties: + name: + default: "" + type: "string" + type: "object" + readOnly: + type: "boolean" + volumeAttributes: + additionalProperties: + type: "string" + type: "object" + required: + - "driver" + type: "object" + emptyDir: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core." + properties: + medium: + description: "StorageMedium defines ways that storage can be allocated to a volume." + type: "string" + sizeLimit: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + nfs: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core." + properties: + path: + type: "string" + readOnly: + type: "boolean" + server: + type: "string" + required: + - "path" + - "server" + type: "object" + persistentVolumeClaim: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core." + properties: + claimName: + type: "string" + readOnly: + type: "boolean" + required: + - "claimName" + type: "object" + type: "object" + type: "object" targetRecoveryTime: description: "TargetRecoveryTime is a RFC3339 (1970-01-01T00:00:00Z) date and time that defines the point in time recovery objective.\nIt is used to determine the closest restoration source in time." format: "date-time" @@ -616,16 +749,6 @@ spec: volume: description: "Volume is a Kubernetes Volume object that contains a backup." properties: - configMap: - description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core." - properties: - defaultMode: - format: "int32" - type: "integer" - name: - default: "" - type: "string" - type: "object" csi: description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core." properties: @@ -685,15 +808,6 @@ spec: required: - "claimName" type: "object" - secret: - description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core." - properties: - defaultMode: - format: "int32" - type: "integer" - secretName: - type: "string" - type: "object" type: "object" type: "object" command: diff --git a/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/restores.yaml b/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/restores.yaml index 198a7ff11..1118403ba 100644 --- a/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/restores.yaml +++ b/crd-catalog/mariadb-operator/mariadb-operator/k8s.mariadb.com/v1alpha1/restores.yaml @@ -548,6 +548,139 @@ spec: serviceAccountName: description: "ServiceAccountName is the name of the ServiceAccount to be used by the Pods." type: "string" + stagingStorage: + description: "StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed.\nIt defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Restore Job is scheduled." + properties: + persistentVolumeClaim: + description: "PersistentVolumeClaim is a Kubernetes PVC specification." + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + resources: + description: "VolumeResourceRequirements describes the storage resource requirements for a volume." + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + type: "object" + selector: + description: "A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects." + properties: + matchExpressions: + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: + description: "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values." + properties: + key: + description: "key is the label key that the selector applies to." + type: "string" + operator: + description: "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + values: + description: "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch." + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + type: "object" + volume: + description: "Volume is a Kubernetes volume specification." + properties: + csi: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core." + properties: + driver: + type: "string" + fsType: + type: "string" + nodePublishSecretRef: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core." + properties: + name: + default: "" + type: "string" + type: "object" + readOnly: + type: "boolean" + volumeAttributes: + additionalProperties: + type: "string" + type: "object" + required: + - "driver" + type: "object" + emptyDir: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core." + properties: + medium: + description: "StorageMedium defines ways that storage can be allocated to a volume." + type: "string" + sizeLimit: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + nfs: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core." + properties: + path: + type: "string" + readOnly: + type: "boolean" + server: + type: "string" + required: + - "path" + - "server" + type: "object" + persistentVolumeClaim: + description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core." + properties: + claimName: + type: "string" + readOnly: + type: "boolean" + required: + - "claimName" + type: "object" + type: "object" + type: "object" targetRecoveryTime: description: "TargetRecoveryTime is a RFC3339 (1970-01-01T00:00:00Z) date and time that defines the point in time recovery objective.\nIt is used to determine the closest restoration source in time." format: "date-time" @@ -578,16 +711,6 @@ spec: volume: description: "Volume is a Kubernetes Volume object that contains a backup." properties: - configMap: - description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core." - properties: - defaultMode: - format: "int32" - type: "integer" - name: - default: "" - type: "string" - type: "object" csi: description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core." properties: @@ -647,15 +770,6 @@ spec: required: - "claimName" type: "object" - secret: - description: "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core." - properties: - defaultMode: - format: "int32" - type: "integer" - secretName: - type: "string" - type: "object" type: "object" required: - "mariaDbRef" diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/baremetalhosts.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/baremetalhosts.yaml index 9fe3a8788..528b6b349 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/baremetalhosts.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/baremetalhosts.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "baremetalhosts.metal3.io" spec: group: "metal3.io" @@ -53,10 +53,10 @@ spec: description: "BareMetalHost is the Schema for the baremetalhosts API" properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -64,73 +64,73 @@ spec: description: "BareMetalHostSpec defines the desired state of BareMetalHost." properties: architecture: - description: "CPU architecture of the host, e.g. \"x86_64\" or \"aarch64\". If unset, eventually populated by inspection." + description: "CPU architecture of the host, e.g. \"x86_64\" or \"aarch64\". If unset,\neventually populated by inspection." type: "string" automatedCleaningMode: default: "metadata" - description: "When set to disabled, automated cleaning will be skipped during provisioning and deprovisioning." + description: "When set to disabled, automated cleaning will be skipped\nduring provisioning and deprovisioning." enum: - "metadata" - "disabled" type: "string" bmc: - description: "How do we connect to the BMC (Baseboard Management Controller) on the host?" + description: "How do we connect to the BMC (Baseboard Management Controller) on\nthe host?" properties: address: - description: "Address holds the URL for accessing the controller on the network. The scheme part designates the driver to use with the host." + description: "Address holds the URL for accessing the controller on the network.\nThe scheme part designates the driver to use with the host." type: "string" credentialsName: - description: "The name of the secret containing the BMC credentials (requires keys \"username\" and \"password\")." + description: "The name of the secret containing the BMC credentials (requires\nkeys \"username\" and \"password\")." type: "string" disableCertificateVerification: - description: "DisableCertificateVerification disables verification of server certificates when using HTTPS to connect to the BMC. This is required when the server certificate is self-signed, but is insecure because it allows a man-in-the-middle to intercept the connection." + description: "DisableCertificateVerification disables verification of server\ncertificates when using HTTPS to connect to the BMC. This is\nrequired when the server certificate is self-signed, but is\ninsecure because it allows a man-in-the-middle to intercept the\nconnection." type: "boolean" required: - "address" - "credentialsName" type: "object" bootMACAddress: - description: "The MAC address of the NIC used for provisioning the host. In case of network boot, this is the MAC address of the PXE booting interface. The MAC address of the BMC must never be used here!" + description: "The MAC address of the NIC used for provisioning the host. In case\nof network boot, this is the MAC address of the PXE booting\ninterface. The MAC address of the BMC must never be used here!" pattern: "[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}" type: "string" bootMode: - description: "Select the method of initializing the hardware during boot. Defaults to UEFI. Legacy boot should only be used for hardware that does not support UEFI correctly. Set to UEFISecureBoot to turn secure boot on automatically after provisioning." + description: "Select the method of initializing the hardware during boot.\nDefaults to UEFI. Legacy boot should only be used for hardware that\ndoes not support UEFI correctly. Set to UEFISecureBoot to turn\nsecure boot on automatically after provisioning." enum: - "UEFI" - "UEFISecureBoot" - "legacy" type: "string" consumerRef: - description: "ConsumerRef can be used to store information about something that is using a host. When it is not empty, the host is considered \"in use\". The common use case is a link to a Machine resource when the host is used by Cluster API." + description: "ConsumerRef can be used to store information about something\nthat is using a host. When it is not empty, the host is\nconsidered \"in use\". The common use case is a link to a Machine\nresource when the host is used by Cluster API." properties: apiVersion: description: "API version of the referent." type: "string" fieldPath: - description: "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future." + description: "If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object." type: "string" kind: - description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" name: - description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" namespace: - description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: "Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" type: "string" resourceVersion: - description: "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" + description: "Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" type: "string" uid: - description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids" + description: "UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids" type: "string" type: "object" x-kubernetes-map-type: "atomic" customDeploy: - description: "A custom deploy procedure. This is an advanced feature that allows using a custom deploy step provided by a site-specific deployment ramdisk. Most users will want to use \"image\" instead. Settings this field triggers provisioning." + description: "A custom deploy procedure. This is an advanced feature that allows\nusing a custom deploy step provided by a site-specific deployment\nramdisk. Most users will want to use \"image\" instead. Setting this\nfield triggers provisioning." properties: method: - description: "Custom deploy method name. This name is specific to the deploy ramdisk used. If you don't have a custom deploy ramdisk, you shouldn't use CustomDeploy." + description: "Custom deploy method name.\nThis name is specific to the deploy ramdisk used. If you don't have\na custom deploy ramdisk, you shouldn't use CustomDeploy." type: "string" required: - "method" @@ -139,10 +139,10 @@ spec: description: "Description is a human-entered text used to help identify the host." type: "string" externallyProvisioned: - description: "ExternallyProvisioned means something else has provisioned the image running on the host, and the operator should only manage the power status. This field is used for integration with already provisioned hosts and when pivoting hosts between clusters. If unsure, leave this field as false." + description: "ExternallyProvisioned means something else has provisioned the\nimage running on the host, and the operator should only manage\nthe power status. This field is used for integration with already\nprovisioned hosts and when pivoting hosts between clusters. If\nunsure, leave this field as false." type: "boolean" firmware: - description: "Firmware (BIOS) configuration for bare metal server. If set, the requested settings will be applied before the host is provisioned. Only some vendor drivers support this field. An alternative is to use HostFirmwareSettings resources that allow changing arbitrary values and support the generic Redfish-based drivers." + description: "Firmware (BIOS) configuration for bare metal server. If set, the\nrequested settings will be applied before the host is provisioned.\nOnly some vendor drivers support this field. An alternative is to\nuse HostFirmwareSettings resources that allow changing arbitrary\nvalues and support the generic Redfish-based drivers." properties: simultaneousMultithreadingEnabled: description: "Allows a single physical processor core to appear as several logical processors." @@ -164,16 +164,16 @@ spec: type: "boolean" type: "object" hardwareProfile: - description: "What is the name of the hardware profile for this host? Hardware profiles are deprecated and should not be used. Use the separate fields Architecture and RootDeviceHints instead. Set to \"empty\" to prepare for the future version of the API without hardware profiles." + description: "What is the name of the hardware profile for this host?\nHardware profiles are deprecated and should not be used.\nUse the separate fields Architecture and RootDeviceHints instead.\nSet to \"empty\" to prepare for the future version of the API\nwithout hardware profiles." type: "string" image: - description: "Image holds the details of the image to be provisioned. Populating the image will cause the host to start provisioning." + description: "Image holds the details of the image to be provisioned. Populating\nthe image will cause the host to start provisioning." properties: checksum: - description: "Checksum is the checksum for the image. Required for all formats except for \"live-iso\"." + description: "Checksum is the checksum for the image. Required for all formats\nexcept for \"live-iso\"." type: "string" checksumType: - description: "ChecksumType is the checksum algorithm for the image, e.g md5, sha256 or sha512. The special value \"auto\" can be used to detect the algorithm from the checksum. If missing, MD5 is used. If in doubt, use \"auto\"." + description: "ChecksumType is the checksum algorithm for the image, e.g md5, sha256 or sha512.\nThe special value \"auto\" can be used to detect the algorithm from the checksum.\nIf missing, MD5 is used. If in doubt, use \"auto\"." enum: - "md5" - "sha256" @@ -181,7 +181,7 @@ spec: - "auto" type: "string" format: - description: "Format contains the format of the image (raw, qcow2, ...). When set to \"live-iso\", an ISO 9660 image referenced by the url will be live-booted and not deployed to disk." + description: "Format contains the format of the image (raw, qcow2, ...).\nWhen set to \"live-iso\", an ISO 9660 image referenced by the url will\nbe live-booted and not deployed to disk." enum: - "raw" - "qcow2" @@ -196,7 +196,7 @@ spec: - "url" type: "object" metaData: - description: "MetaData holds the reference to the Secret containing host metadata which is passed to the Config Drive. By default, the operater will generate metadata for the host, so most users do not need to set this field." + description: "MetaData holds the reference to the Secret containing host metadata\nwhich is passed to the Config Drive. By default, metadata will be\ngenerated for the host, so most users do not need to set this field." properties: name: description: "name is unique within a namespace to reference a secret resource." @@ -207,7 +207,7 @@ spec: type: "object" x-kubernetes-map-type: "atomic" networkData: - description: "NetworkData holds the reference to the Secret containing network configuration which is passed to the Config Drive and interpreted by the first boot software such as cloud-init." + description: "NetworkData holds the reference to the Secret containing network\nconfiguration which is passed to the Config Drive and interpreted\nby the first boot software such as cloud-init." properties: name: description: "name is unique within a namespace to reference a secret resource." @@ -218,16 +218,16 @@ spec: type: "object" x-kubernetes-map-type: "atomic" online: - description: "Should the host be powered on? Changing this value will trigger a change in power state of the host." + description: "Should the host be powered on? If the host is currently in a stable\nstate (e.g. provisioned), its power state will be forced to match\nthis value." type: "boolean" preprovisioningNetworkDataName: - description: "PreprovisioningNetworkDataName is the name of the Secret in the local namespace containing network configuration which is passed to the preprovisioning image, and to the Config Drive if not overridden by specifying NetworkData." + description: "PreprovisioningNetworkDataName is the name of the Secret in the\nlocal namespace containing network configuration which is passed to\nthe preprovisioning image, and to the Config Drive if not overridden\nby specifying NetworkData." type: "string" raid: - description: "RAID configuration for bare metal server. If set, the RAID settings will be applied before the host is provisioned. If not, the current settings will not be modified. Only one of the sub-fields hardwareRAIDVolumes and softwareRAIDVolumes can be set at the same time." + description: "RAID configuration for bare metal server. If set, the RAID settings\nwill be applied before the host is provisioned. If not, the current\nsettings will not be modified. Only one of the sub-fields\nhardwareRAIDVolumes and softwareRAIDVolumes can be set at the same\ntime." properties: hardwareRAIDVolumes: - description: "The list of logical disks for hardware RAID, if rootDeviceHints isn't used, first volume is root volume. You can set the value of this field to `[]` to clear all the hardware RAID configurations." + description: "The list of logical disks for hardware RAID, if rootDeviceHints isn't used, first volume is root volume.\nYou can set the value of this field to `[]` to clear all the hardware RAID configurations." items: description: "HardwareRAIDVolume defines the desired configuration of volume in hardware RAID." properties: @@ -235,7 +235,7 @@ spec: description: "The name of the RAID controller to use." type: "string" level: - description: "RAID level for the logical disk. The following levels are supported: 0, 1, 2, 5, 6, 1+0, 5+0, 6+0 (drivers may support only some of them)." + description: "RAID level for the logical disk. The following levels are supported:\n0, 1, 2, 5, 6, 1+0, 5+0, 6+0 (drivers may support only some of them)." enum: - "0" - "1" @@ -247,23 +247,23 @@ spec: - "6+0" type: "string" name: - description: "Name of the volume. Should be unique within the Node. If not specified, the name will be auto-generated." + description: "Name of the volume. Should be unique within the Node. If not\nspecified, the name will be auto-generated." maxLength: 64 type: "string" numberOfPhysicalDisks: - description: "Integer, number of physical disks to use for the logical disk. Defaults to minimum number of disks required for the particular RAID level." + description: "Integer, number of physical disks to use for the logical disk.\nDefaults to minimum number of disks required for the particular RAID\nlevel." minimum: 1.0 type: "integer" physicalDisks: - description: "Optional list of physical disk names to be used for the hardware RAID volumes. The disk names are interpreted by the hardware RAID controller, and the format is hardware specific." + description: "Optional list of physical disk names to be used for the hardware RAID volumes. The disk names are interpreted\nby the hardware RAID controller, and the format is hardware specific." items: type: "string" type: "array" rotational: - description: "Select disks with only rotational (if set to true) or solid-state (if set to false) storage. By default, any disks can be picked." + description: "Select disks with only rotational (if set to true) or solid-state\n(if set to false) storage. By default, any disks can be picked." type: "boolean" sizeGibibytes: - description: "Size of the logical disk to be created in GiB. If unspecified or set be 0, the maximum capacity of disk will be used for logical disk." + description: "Size of the logical disk to be created in GiB. If unspecified or\nset be 0, the maximum capacity of disk will be used for logical\ndisk." minimum: 0.0 type: "integer" required: @@ -272,12 +272,12 @@ spec: nullable: true type: "array" softwareRAIDVolumes: - description: "The list of logical disks for software RAID, if rootDeviceHints isn't used, first volume is root volume. If HardwareRAIDVolumes is set this item will be invalid. The number of created Software RAID devices must be 1 or 2. If there is only one Software RAID device, it has to be a RAID-1. If there are two, the first one has to be a RAID-1, while the RAID level for the second one can be 0, 1, or 1+0. As the first RAID device will be the deployment device, enforcing a RAID-1 reduces the risk of ending up with a non-booting node in case of a disk failure. Software RAID will always be deleted." + description: "The list of logical disks for software RAID, if rootDeviceHints isn't used, first volume is root volume.\nIf HardwareRAIDVolumes is set this item will be invalid.\nThe number of created Software RAID devices must be 1 or 2.\nIf there is only one Software RAID device, it has to be a RAID-1.\nIf there are two, the first one has to be a RAID-1, while the RAID level for the second one can be 0, 1, or 1+0.\nAs the first RAID device will be the deployment device,\nenforcing a RAID-1 reduces the risk of ending up with a non-booting host in case of a disk failure.\nSoftware RAID will always be deleted." items: description: "SoftwareRAIDVolume defines the desired configuration of volume in software RAID." properties: level: - description: "RAID level for the logical disk. The following levels are supported: 0, 1 and 1+0." + description: "RAID level for the logical disk. The following levels are supported:\n0, 1 and 1+0." enum: - "0" - "1" @@ -286,44 +286,44 @@ spec: physicalDisks: description: "A list of device hints, the number of items should be greater than or equal to 2." items: - description: "RootDeviceHints holds the hints for specifying the storage location for the root filesystem for the image." + description: "RootDeviceHints holds the hints for specifying the storage location\nfor the root filesystem for the image." properties: deviceName: - description: "A Linux device name like \"/dev/vda\", or a by-path link to it like \"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match the actual value exactly." + description: "A Linux device name like \"/dev/vda\", or a by-path link to it like\n\"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match\nthe actual value exactly." type: "string" hctl: - description: "A SCSI bus address like 0:0:0:0. The hint must match the actual value exactly." + description: "A SCSI bus address like 0:0:0:0. The hint must match the actual\nvalue exactly." type: "string" minSizeGigabytes: description: "The minimum size of the device in Gigabytes." minimum: 0.0 type: "integer" model: - description: "A vendor-specific device identifier. The hint can be a substring of the actual value." + description: "A vendor-specific device identifier. The hint can be a\nsubstring of the actual value." type: "string" rotational: description: "True if the device should use spinning media, false otherwise." type: "boolean" serialNumber: - description: "Device serial number. The hint must match the actual value exactly." + description: "Device serial number. The hint must match the actual value\nexactly." type: "string" vendor: - description: "The name of the vendor or manufacturer of the device. The hint can be a substring of the actual value." + description: "The name of the vendor or manufacturer of the device. The hint\ncan be a substring of the actual value." type: "string" wwn: - description: "Unique storage identifier. The hint must match the actual value exactly." + description: "Unique storage identifier. The hint must match the actual value\nexactly." type: "string" wwnVendorExtension: - description: "Unique vendor storage identifier. The hint must match the actual value exactly." + description: "Unique vendor storage identifier. The hint must match the\nactual value exactly." type: "string" wwnWithExtension: - description: "Unique storage identifier with the vendor extension appended. The hint must match the actual value exactly." + description: "Unique storage identifier with the vendor extension\nappended. The hint must match the actual value exactly." type: "string" type: "object" minItems: 2 type: "array" sizeGibibytes: - description: "Size of the logical disk to be created in GiB. If unspecified or set be 0, the maximum capacity of disk will be used for logical disk." + description: "Size of the logical disk to be created in GiB.\nIf unspecified or set be 0, the maximum capacity of disk will be used for logical disk." minimum: 0.0 type: "integer" required: @@ -334,53 +334,53 @@ spec: type: "array" type: "object" rootDeviceHints: - description: "Provide guidance about how to choose the device for the image being provisioned. The default is currently to use /dev/sda as the root device." + description: "Provide guidance about how to choose the device for the image\nbeing provisioned. The default is currently to use /dev/sda as\nthe root device." properties: deviceName: - description: "A Linux device name like \"/dev/vda\", or a by-path link to it like \"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match the actual value exactly." + description: "A Linux device name like \"/dev/vda\", or a by-path link to it like\n\"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match\nthe actual value exactly." type: "string" hctl: - description: "A SCSI bus address like 0:0:0:0. The hint must match the actual value exactly." + description: "A SCSI bus address like 0:0:0:0. The hint must match the actual\nvalue exactly." type: "string" minSizeGigabytes: description: "The minimum size of the device in Gigabytes." minimum: 0.0 type: "integer" model: - description: "A vendor-specific device identifier. The hint can be a substring of the actual value." + description: "A vendor-specific device identifier. The hint can be a\nsubstring of the actual value." type: "string" rotational: description: "True if the device should use spinning media, false otherwise." type: "boolean" serialNumber: - description: "Device serial number. The hint must match the actual value exactly." + description: "Device serial number. The hint must match the actual value\nexactly." type: "string" vendor: - description: "The name of the vendor or manufacturer of the device. The hint can be a substring of the actual value." + description: "The name of the vendor or manufacturer of the device. The hint\ncan be a substring of the actual value." type: "string" wwn: - description: "Unique storage identifier. The hint must match the actual value exactly." + description: "Unique storage identifier. The hint must match the actual value\nexactly." type: "string" wwnVendorExtension: - description: "Unique vendor storage identifier. The hint must match the actual value exactly." + description: "Unique vendor storage identifier. The hint must match the\nactual value exactly." type: "string" wwnWithExtension: - description: "Unique storage identifier with the vendor extension appended. The hint must match the actual value exactly." + description: "Unique storage identifier with the vendor extension\nappended. The hint must match the actual value exactly." type: "string" type: "object" taints: - description: "Taints is the full, authoritative list of taints to apply to the corresponding Machine. This list will overwrite any modifications made to the Machine on an ongoing basis." + description: "Taints is the full, authoritative list of taints to apply to\nthe corresponding Machine. This list will overwrite any\nmodifications made to the Machine on an ongoing basis." items: - description: "The node this Taint is attached to has the \"effect\" on any pod that does not tolerate the Taint." + description: "The node this Taint is attached to has the \"effect\" on\nany pod that does not tolerate the Taint." properties: effect: - description: "Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute." + description: "Required. The effect of the taint on pods\nthat do not tolerate the taint.\nValid effects are NoSchedule, PreferNoSchedule and NoExecute." type: "string" key: description: "Required. The taint key to be applied to a node." type: "string" timeAdded: - description: "TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints." + description: "TimeAdded represents the time at which the taint was added.\nIt is only written for NoExecute taints." format: "date-time" type: "string" value: @@ -392,7 +392,7 @@ spec: type: "object" type: "array" userData: - description: "UserData holds the reference to the Secret containing the user data which is passed to the Config Drive and interpreted by the first-boot software such as cloud-init. The format of user data is specific to the first-boot software." + description: "UserData holds the reference to the Secret containing the user data\nwhich is passed to the Config Drive and interpreted by the\nfirst-boot software such as cloud-init. The format of user data is\nspecific to the first-boot software." properties: name: description: "name is unique within a namespace to reference a secret resource." @@ -416,7 +416,7 @@ spec: description: "The last error message reported by the provisioning subsystem." type: "string" errorType: - description: "ErrorType indicates the type of failure encountered when the OperationalStatus is OperationalStatusError" + description: "ErrorType indicates the type of failure encountered when the\nOperationalStatus is OperationalStatusError" enum: - "provisioned registration error" - "registration error" @@ -429,7 +429,7 @@ spec: description: "The last credentials we were able to validate as working." properties: credentials: - description: "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace" + description: "SecretReference represents a Secret Reference. It has enough information to retrieve secret\nin any namespace" properties: name: description: "name is unique within a namespace to reference a secret resource." @@ -443,7 +443,7 @@ spec: type: "string" type: "object" hardware: - description: "The hardware discovered to exist on the host. This field will be removed in the next API version in favour of the separate HardwareData resource." + description: "The hardware discovered to exist on the host.\nThis field will be removed in the next API version in favour of the\nseparate HardwareData resource." properties: cpu: description: "Details of the CPU(s) in the system." @@ -488,7 +488,7 @@ spec: description: "NIC describes one network interface on the host." properties: ip: - description: "The IP address of the interface. This will be an IPv4 or IPv6 address if one is present. If both IPv4 and IPv6 addresses are present in a dual-stack environment, two nics will be output, one with each IP." + description: "The IP address of the interface. This will be an IPv4 or IPv6 address\nif one is present. If both IPv4 and IPv6 addresses are present in a\ndual-stack environment, two nics will be output, one with each IP." type: "string" mac: description: "The device MAC address" @@ -538,7 +538,7 @@ spec: description: "Storage describes one storage device (disk, SSD, etc.) on the host." properties: alternateNames: - description: "A list of alternate Linux device names of the disk, e.g. \"/dev/sda\". Note that this list is not exhaustive, and names may not be stable across reboots." + description: "A list of alternate Linux device names of the disk, e.g. \"/dev/sda\".\nNote that this list is not exhaustive, and names may not be stable\nacross reboots." items: type: "string" type: "array" @@ -549,10 +549,10 @@ spec: description: "Hardware model" type: "string" name: - description: "A Linux device name of the disk, e.g. \"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". This will be a name that is stable across reboots if one is available." + description: "A Linux device name of the disk, e.g.\n\"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". This will be a name\nthat is stable across reboots if one is available." type: "string" rotational: - description: "Whether this disk represents rotational storage. This field is not recommended for usage, please prefer using 'Type' field instead, this field will be deprecated eventually." + description: "Whether this disk represents rotational storage.\nThis field is not recommended for usage, please\nprefer using 'Type' field instead, this field\nwill be deprecated eventually." type: "boolean" serialNumber: description: "The serial number of the device" @@ -594,17 +594,17 @@ spec: type: "object" type: "object" hardwareProfile: - description: "The name of the profile matching the hardware details. Hardware profiles are deprecated and should not be relied on." + description: "The name of the profile matching the hardware details.\nHardware profiles are deprecated and should not be relied on." type: "string" lastUpdated: description: "LastUpdated identifies when this status was last observed." format: "date-time" type: "string" operationHistory: - description: "OperationHistory holds information about operations performed on this host." + description: "OperationHistory holds information about operations performed\non this host." properties: deprovision: - description: "OperationMetric contains metadata about an operation (inspection, provisioning, etc.) used for tracking metrics." + description: "OperationMetric contains metadata about an operation (inspection,\nprovisioning, etc.) used for tracking metrics." properties: end: format: "date-time" @@ -616,7 +616,7 @@ spec: type: "string" type: "object" inspect: - description: "OperationMetric contains metadata about an operation (inspection, provisioning, etc.) used for tracking metrics." + description: "OperationMetric contains metadata about an operation (inspection,\nprovisioning, etc.) used for tracking metrics." properties: end: format: "date-time" @@ -628,7 +628,7 @@ spec: type: "string" type: "object" provision: - description: "OperationMetric contains metadata about an operation (inspection, provisioning, etc.) used for tracking metrics." + description: "OperationMetric contains metadata about an operation (inspection,\nprovisioning, etc.) used for tracking metrics." properties: end: format: "date-time" @@ -640,7 +640,7 @@ spec: type: "string" type: "object" register: - description: "OperationMetric contains metadata about an operation (inspection, provisioning, etc.) used for tracking metrics." + description: "OperationMetric contains metadata about an operation (inspection,\nprovisioning, etc.) used for tracking metrics." properties: end: format: "date-time" @@ -663,16 +663,16 @@ spec: - "detached" type: "string" poweredOn: - description: "Whether or not the host is currently powered on. This field may get briefly out of sync with the actual state of the hardware while provisioning processes are running." + description: "The currently detected power state of the host. This field may get\nbriefly out of sync with the actual state of the hardware while\nprovisioning processes are running." type: "boolean" provisioning: description: "Information tracked by the provisioner." properties: ID: - description: "The hosts's ID from the underlying provisioning tool (e.g. the Ironic node UUID)." + description: "The hosts's ID from the underlying provisioning tool (e.g. the\nIronic node UUID)." type: "string" bootMode: - description: "BootMode indicates the boot mode used to provision the node" + description: "BootMode indicates the boot mode used to provision the host." enum: - "UEFI" - "UEFISecureBoot" @@ -682,7 +682,7 @@ spec: description: "Custom deploy procedure applied to the host." properties: method: - description: "Custom deploy method name. This name is specific to the deploy ramdisk used. If you don't have a custom deploy ramdisk, you shouldn't use CustomDeploy." + description: "Custom deploy method name.\nThis name is specific to the deploy ramdisk used. If you don't have\na custom deploy ramdisk, you shouldn't use CustomDeploy." type: "string" required: - "method" @@ -710,13 +710,13 @@ spec: type: "boolean" type: "object" image: - description: "Image holds the details of the last image successfully provisioned to the host." + description: "Image holds the details of the last image successfully\nprovisioned to the host." properties: checksum: - description: "Checksum is the checksum for the image. Required for all formats except for \"live-iso\"." + description: "Checksum is the checksum for the image. Required for all formats\nexcept for \"live-iso\"." type: "string" checksumType: - description: "ChecksumType is the checksum algorithm for the image, e.g md5, sha256 or sha512. The special value \"auto\" can be used to detect the algorithm from the checksum. If missing, MD5 is used. If in doubt, use \"auto\"." + description: "ChecksumType is the checksum algorithm for the image, e.g md5, sha256 or sha512.\nThe special value \"auto\" can be used to detect the algorithm from the checksum.\nIf missing, MD5 is used. If in doubt, use \"auto\"." enum: - "md5" - "sha256" @@ -724,7 +724,7 @@ spec: - "auto" type: "string" format: - description: "Format contains the format of the image (raw, qcow2, ...). When set to \"live-iso\", an ISO 9660 image referenced by the url will be live-booted and not deployed to disk." + description: "Format contains the format of the image (raw, qcow2, ...).\nWhen set to \"live-iso\", an ISO 9660 image referenced by the url will\nbe live-booted and not deployed to disk." enum: - "raw" - "qcow2" @@ -742,7 +742,7 @@ spec: description: "The RAID configuration that has been applied." properties: hardwareRAIDVolumes: - description: "The list of logical disks for hardware RAID, if rootDeviceHints isn't used, first volume is root volume. You can set the value of this field to `[]` to clear all the hardware RAID configurations." + description: "The list of logical disks for hardware RAID, if rootDeviceHints isn't used, first volume is root volume.\nYou can set the value of this field to `[]` to clear all the hardware RAID configurations." items: description: "HardwareRAIDVolume defines the desired configuration of volume in hardware RAID." properties: @@ -750,7 +750,7 @@ spec: description: "The name of the RAID controller to use." type: "string" level: - description: "RAID level for the logical disk. The following levels are supported: 0, 1, 2, 5, 6, 1+0, 5+0, 6+0 (drivers may support only some of them)." + description: "RAID level for the logical disk. The following levels are supported:\n0, 1, 2, 5, 6, 1+0, 5+0, 6+0 (drivers may support only some of them)." enum: - "0" - "1" @@ -762,23 +762,23 @@ spec: - "6+0" type: "string" name: - description: "Name of the volume. Should be unique within the Node. If not specified, the name will be auto-generated." + description: "Name of the volume. Should be unique within the Node. If not\nspecified, the name will be auto-generated." maxLength: 64 type: "string" numberOfPhysicalDisks: - description: "Integer, number of physical disks to use for the logical disk. Defaults to minimum number of disks required for the particular RAID level." + description: "Integer, number of physical disks to use for the logical disk.\nDefaults to minimum number of disks required for the particular RAID\nlevel." minimum: 1.0 type: "integer" physicalDisks: - description: "Optional list of physical disk names to be used for the hardware RAID volumes. The disk names are interpreted by the hardware RAID controller, and the format is hardware specific." + description: "Optional list of physical disk names to be used for the hardware RAID volumes. The disk names are interpreted\nby the hardware RAID controller, and the format is hardware specific." items: type: "string" type: "array" rotational: - description: "Select disks with only rotational (if set to true) or solid-state (if set to false) storage. By default, any disks can be picked." + description: "Select disks with only rotational (if set to true) or solid-state\n(if set to false) storage. By default, any disks can be picked." type: "boolean" sizeGibibytes: - description: "Size of the logical disk to be created in GiB. If unspecified or set be 0, the maximum capacity of disk will be used for logical disk." + description: "Size of the logical disk to be created in GiB. If unspecified or\nset be 0, the maximum capacity of disk will be used for logical\ndisk." minimum: 0.0 type: "integer" required: @@ -787,12 +787,12 @@ spec: nullable: true type: "array" softwareRAIDVolumes: - description: "The list of logical disks for software RAID, if rootDeviceHints isn't used, first volume is root volume. If HardwareRAIDVolumes is set this item will be invalid. The number of created Software RAID devices must be 1 or 2. If there is only one Software RAID device, it has to be a RAID-1. If there are two, the first one has to be a RAID-1, while the RAID level for the second one can be 0, 1, or 1+0. As the first RAID device will be the deployment device, enforcing a RAID-1 reduces the risk of ending up with a non-booting node in case of a disk failure. Software RAID will always be deleted." + description: "The list of logical disks for software RAID, if rootDeviceHints isn't used, first volume is root volume.\nIf HardwareRAIDVolumes is set this item will be invalid.\nThe number of created Software RAID devices must be 1 or 2.\nIf there is only one Software RAID device, it has to be a RAID-1.\nIf there are two, the first one has to be a RAID-1, while the RAID level for the second one can be 0, 1, or 1+0.\nAs the first RAID device will be the deployment device,\nenforcing a RAID-1 reduces the risk of ending up with a non-booting host in case of a disk failure.\nSoftware RAID will always be deleted." items: description: "SoftwareRAIDVolume defines the desired configuration of volume in software RAID." properties: level: - description: "RAID level for the logical disk. The following levels are supported: 0, 1 and 1+0." + description: "RAID level for the logical disk. The following levels are supported:\n0, 1 and 1+0." enum: - "0" - "1" @@ -801,44 +801,44 @@ spec: physicalDisks: description: "A list of device hints, the number of items should be greater than or equal to 2." items: - description: "RootDeviceHints holds the hints for specifying the storage location for the root filesystem for the image." + description: "RootDeviceHints holds the hints for specifying the storage location\nfor the root filesystem for the image." properties: deviceName: - description: "A Linux device name like \"/dev/vda\", or a by-path link to it like \"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match the actual value exactly." + description: "A Linux device name like \"/dev/vda\", or a by-path link to it like\n\"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match\nthe actual value exactly." type: "string" hctl: - description: "A SCSI bus address like 0:0:0:0. The hint must match the actual value exactly." + description: "A SCSI bus address like 0:0:0:0. The hint must match the actual\nvalue exactly." type: "string" minSizeGigabytes: description: "The minimum size of the device in Gigabytes." minimum: 0.0 type: "integer" model: - description: "A vendor-specific device identifier. The hint can be a substring of the actual value." + description: "A vendor-specific device identifier. The hint can be a\nsubstring of the actual value." type: "string" rotational: description: "True if the device should use spinning media, false otherwise." type: "boolean" serialNumber: - description: "Device serial number. The hint must match the actual value exactly." + description: "Device serial number. The hint must match the actual value\nexactly." type: "string" vendor: - description: "The name of the vendor or manufacturer of the device. The hint can be a substring of the actual value." + description: "The name of the vendor or manufacturer of the device. The hint\ncan be a substring of the actual value." type: "string" wwn: - description: "Unique storage identifier. The hint must match the actual value exactly." + description: "Unique storage identifier. The hint must match the actual value\nexactly." type: "string" wwnVendorExtension: - description: "Unique vendor storage identifier. The hint must match the actual value exactly." + description: "Unique vendor storage identifier. The hint must match the\nactual value exactly." type: "string" wwnWithExtension: - description: "Unique storage identifier with the vendor extension appended. The hint must match the actual value exactly." + description: "Unique storage identifier with the vendor extension\nappended. The hint must match the actual value exactly." type: "string" type: "object" minItems: 2 type: "array" sizeGibibytes: - description: "Size of the logical disk to be created in GiB. If unspecified or set be 0, the maximum capacity of disk will be used for logical disk." + description: "Size of the logical disk to be created in GiB.\nIf unspecified or set be 0, the maximum capacity of disk will be used for logical disk." minimum: 0.0 type: "integer" required: @@ -849,38 +849,38 @@ spec: type: "array" type: "object" rootDeviceHints: - description: "The root device hints set by the user." + description: "The root device hints used to provision the host." properties: deviceName: - description: "A Linux device name like \"/dev/vda\", or a by-path link to it like \"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match the actual value exactly." + description: "A Linux device name like \"/dev/vda\", or a by-path link to it like\n\"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". The hint must match\nthe actual value exactly." type: "string" hctl: - description: "A SCSI bus address like 0:0:0:0. The hint must match the actual value exactly." + description: "A SCSI bus address like 0:0:0:0. The hint must match the actual\nvalue exactly." type: "string" minSizeGigabytes: description: "The minimum size of the device in Gigabytes." minimum: 0.0 type: "integer" model: - description: "A vendor-specific device identifier. The hint can be a substring of the actual value." + description: "A vendor-specific device identifier. The hint can be a\nsubstring of the actual value." type: "string" rotational: description: "True if the device should use spinning media, false otherwise." type: "boolean" serialNumber: - description: "Device serial number. The hint must match the actual value exactly." + description: "Device serial number. The hint must match the actual value\nexactly." type: "string" vendor: - description: "The name of the vendor or manufacturer of the device. The hint can be a substring of the actual value." + description: "The name of the vendor or manufacturer of the device. The hint\ncan be a substring of the actual value." type: "string" wwn: - description: "Unique storage identifier. The hint must match the actual value exactly." + description: "Unique storage identifier. The hint must match the actual value\nexactly." type: "string" wwnVendorExtension: - description: "Unique vendor storage identifier. The hint must match the actual value exactly." + description: "Unique vendor storage identifier. The hint must match the\nactual value exactly." type: "string" wwnWithExtension: - description: "Unique storage identifier with the vendor extension appended. The hint must match the actual value exactly." + description: "Unique storage identifier with the vendor extension\nappended. The hint must match the actual value exactly." type: "string" type: "object" state: @@ -894,7 +894,7 @@ spec: description: "The last credentials we sent to the provisioning backend." properties: credentials: - description: "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace" + description: "SecretReference represents a Secret Reference. It has enough information to retrieve secret\nin any namespace" properties: name: description: "name is unique within a namespace to reference a secret resource." diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/bmceventsubscriptions.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/bmceventsubscriptions.yaml index 6427ecc57..8b512ab31 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/bmceventsubscriptions.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/bmceventsubscriptions.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "bmceventsubscriptions.metal3.io" spec: group: "metal3.io" @@ -31,10 +31,10 @@ spec: description: "BMCEventSubscription is the Schema for the fast eventing API" properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -50,7 +50,7 @@ spec: description: "A reference to a BareMetalHost" type: "string" httpHeadersRef: - description: "A secret containing HTTP headers which should be passed along to the Destination when making a request" + description: "A secret containing HTTP headers which should be passed along to the Destination\nwhen making a request" properties: name: description: "name is unique within a namespace to reference a secret resource." diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/dataimages.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/dataimages.yaml index bc662478c..3310e93dd 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/dataimages.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/dataimages.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "dataimages.metal3.io" spec: group: "metal3.io" @@ -19,10 +19,10 @@ spec: description: "DataImage is the Schema for the dataimages API." properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -30,7 +30,7 @@ spec: description: "DataImageSpec defines the desired state of DataImage." properties: url: - description: "Url is the address of the dataImage that we want to attach to a BareMetalHost" + description: "Url is the address of the dataImage that we want to attach\nto a BareMetalHost" type: "string" required: - "url" diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/firmwareschemas.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/firmwareschemas.yaml index 6421b7dfd..69f32e9c0 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/firmwareschemas.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/firmwareschemas.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "firmwareschemas.metal3.io" spec: group: "metal3.io" @@ -19,10 +19,10 @@ spec: description: "FirmwareSchema is the Schema for the firmwareschemas API." properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -66,7 +66,7 @@ spec: description: "Whether or not this setting is read only." type: "boolean" unique: - description: "Whether or not this setting's value is unique to this node, e.g. a serial number." + description: "Whether or not this setting's value is unique to this node, e.g.\na serial number." type: "boolean" upper_bound: description: "The highest value for an Integer type setting." diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hardwaredata.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hardwaredata.yaml index 44857e403..cbec99cbb 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hardwaredata.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hardwaredata.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "hardwaredata.metal3.io" spec: group: "metal3.io" @@ -26,10 +26,10 @@ spec: description: "HardwareData is the Schema for the hardwaredata API." properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -82,7 +82,7 @@ spec: description: "NIC describes one network interface on the host." properties: ip: - description: "The IP address of the interface. This will be an IPv4 or IPv6 address if one is present. If both IPv4 and IPv6 addresses are present in a dual-stack environment, two nics will be output, one with each IP." + description: "The IP address of the interface. This will be an IPv4 or IPv6 address\nif one is present. If both IPv4 and IPv6 addresses are present in a\ndual-stack environment, two nics will be output, one with each IP." type: "string" mac: description: "The device MAC address" @@ -132,7 +132,7 @@ spec: description: "Storage describes one storage device (disk, SSD, etc.) on the host." properties: alternateNames: - description: "A list of alternate Linux device names of the disk, e.g. \"/dev/sda\". Note that this list is not exhaustive, and names may not be stable across reboots." + description: "A list of alternate Linux device names of the disk, e.g. \"/dev/sda\".\nNote that this list is not exhaustive, and names may not be stable\nacross reboots." items: type: "string" type: "array" @@ -143,10 +143,10 @@ spec: description: "Hardware model" type: "string" name: - description: "A Linux device name of the disk, e.g. \"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". This will be a name that is stable across reboots if one is available." + description: "A Linux device name of the disk, e.g.\n\"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0\". This will be a name\nthat is stable across reboots if one is available." type: "string" rotational: - description: "Whether this disk represents rotational storage. This field is not recommended for usage, please prefer using 'Type' field instead, this field will be deprecated eventually." + description: "Whether this disk represents rotational storage.\nThis field is not recommended for usage, please\nprefer using 'Type' field instead, this field\nwill be deprecated eventually." type: "boolean" serialNumber: description: "The serial number of the device" diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwarecomponents.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwarecomponents.yaml index 148dcec07..14f7f0e15 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwarecomponents.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwarecomponents.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "hostfirmwarecomponents.metal3.io" spec: group: "metal3.io" @@ -19,10 +19,10 @@ spec: description: "HostFirmwareComponents is the Schema for the hostfirmwarecomponents API." properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -72,23 +72,23 @@ spec: conditions: description: "Track whether updates stored in the spec are valid based on the schema" items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect of the current state of this API Resource." properties: lastTransitionTime: - description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." format: "date-time" type: "string" message: - description: "message is a human readable message indicating details about the transition. This may be an empty string." + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." maxLength: 32768 type: "string" observedGeneration: - description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance." + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." format: "int64" minimum: 0.0 type: "integer" reason: - description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty." + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." maxLength: 1024 minLength: 1 pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" @@ -101,7 +101,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" @@ -121,7 +121,7 @@ spec: format: "date-time" type: "string" updates: - description: "Updates is the list of all firmware components that should be updated they are specified via name and url fields." + description: "Updates is the list of all firmware components that should be updated\nthey are specified via name and url fields." items: description: "FirmwareUpdate defines a firmware update specification." properties: diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwaresettings.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwaresettings.yaml index 2f152a1cc..943f1bf0c 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwaresettings.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/hostfirmwaresettings.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "hostfirmwaresettings.metal3.io" spec: group: "metal3.io" @@ -21,10 +21,10 @@ spec: description: "HostFirmwareSettings is the Schema for the hostfirmwaresettings API." properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -48,23 +48,23 @@ spec: conditions: description: "Track whether settings stored in the spec are valid based on the schema" items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect of the current state of this API Resource." properties: lastTransitionTime: - description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." format: "date-time" type: "string" message: - description: "message is a human readable message indicating details about the transition. This may be an empty string." + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." maxLength: 32768 type: "string" observedGeneration: - description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance." + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." format: "int64" minimum: 0.0 type: "integer" reason: - description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty." + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." maxLength: 1024 minLength: 1 pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" @@ -77,7 +77,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" @@ -97,7 +97,7 @@ spec: format: "date-time" type: "string" schema: - description: "FirmwareSchema is a reference to the Schema used to describe each FirmwareSetting. By default, this will be a Schema in the same Namespace as the settings but it can be overwritten in the Spec" + description: "FirmwareSchema is a reference to the Schema used to describe each\nFirmwareSetting. By default, this will be a Schema in the same\nNamespace as the settings but it can be overwritten in the Spec" properties: name: description: "`name` is the reference to the schema." diff --git a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/preprovisioningimages.yaml b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/preprovisioningimages.yaml index 5cbfa9386..b55906a47 100644 --- a/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/preprovisioningimages.yaml +++ b/crd-catalog/metal3-io/baremetal-operator/metal3.io/v1alpha1/preprovisioningimages.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.12.1" + controller-gen.kubebuilder.io/version: "v0.16.3" name: "preprovisioningimages.metal3.io" spec: group: "metal3.io" @@ -30,10 +30,10 @@ spec: description: "PreprovisioningImage is the Schema for the preprovisioningimages API." properties: apiVersion: - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: "string" kind: - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: "string" metadata: type: "object" @@ -53,7 +53,7 @@ spec: description: "architecture is the processor architecture for which to build the image." type: "string" networkDataName: - description: "networkDataName is the name of a Secret in the local namespace that contains network data to build in to the image." + description: "networkDataName is the name of a Secret in the local namespace that\ncontains network data to build in to the image." type: "string" type: "object" status: @@ -65,23 +65,23 @@ spec: conditions: description: "conditions describe the state of the built image" items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect of the current state of this API Resource." properties: lastTransitionTime: - description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." format: "date-time" type: "string" message: - description: "message is a human readable message indicating details about the transition. This may be an empty string." + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." maxLength: 32768 type: "string" observedGeneration: - description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance." + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." format: "int64" minimum: 0.0 type: "integer" reason: - description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty." + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." maxLength: 1024 minLength: 1 pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" @@ -94,7 +94,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" @@ -110,10 +110,10 @@ spec: - "type" x-kubernetes-list-type: "map" extraKernelParams: - description: "extraKernelParams is a string with extra parameters to pass to the kernel when booting the image over network. Only makes sense for initrd images." + description: "extraKernelParams is a string with extra parameters to pass to the\nkernel when booting the image over network. Only makes sense for initrd images." type: "string" format: - description: "format is the type of image that is available at the download url: either iso or initrd." + description: "format is the type of image that is available at the download url:\neither iso or initrd." enum: - "iso" - "initrd" @@ -122,10 +122,10 @@ spec: description: "imageUrl is the URL from which the built image can be downloaded." type: "string" kernelUrl: - description: "kernelUrl is the URL from which the kernel of the image can be downloaded. Only makes sense for initrd images." + description: "kernelUrl is the URL from which the kernel of the image can be downloaded.\nOnly makes sense for initrd images." type: "string" networkData: - description: "networkData is a reference to the version of the Secret containing the network data used to build the image." + description: "networkData is a reference to the version of the Secret containing the\nnetwork data used to build the image." properties: name: type: "string" diff --git a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/clientsettingspolicies.yaml b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/clientsettingspolicies.yaml index 8334019e3..813460226 100644 --- a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/clientsettingspolicies.yaml +++ b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/clientsettingspolicies.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.16.3" + controller-gen.kubebuilder.io/version: "v0.16.4" labels: gateway.networking.k8s.io/policy: "inherited" name: "clientsettingspolicies.gateway.nginx.org" diff --git a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxgateways.yaml b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxgateways.yaml index fcc1d9d95..7abcd6aed 100644 --- a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxgateways.yaml +++ b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxgateways.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.16.3" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "nginxgateways.gateway.nginx.org" spec: group: "gateway.nginx.org" diff --git a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxproxies.yaml b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxproxies.yaml index 3e393fef1..47ae45cae 100644 --- a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxproxies.yaml +++ b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/nginxproxies.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.16.3" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "nginxproxies.gateway.nginx.org" spec: group: "gateway.nginx.org" diff --git a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/observabilitypolicies.yaml b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/observabilitypolicies.yaml index a916daa89..926197173 100644 --- a/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/observabilitypolicies.yaml +++ b/crd-catalog/nginxinc/nginx-kubernetes-gateway/gateway.nginx.org/v1alpha1/observabilitypolicies.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.16.3" + controller-gen.kubebuilder.io/version: "v0.16.4" labels: gateway.networking.k8s.io/policy: "direct" name: "observabilitypolicies.gateway.nginx.org" diff --git a/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1alpha1/instrumentations.yaml b/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1alpha1/instrumentations.yaml index 51615ccc1..f4e1d272e 100644 --- a/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1alpha1/instrumentations.yaml +++ b/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1alpha1/instrumentations.yaml @@ -214,6 +214,118 @@ spec: type: "object" version: type: "string" + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" + type: "object" + spec: + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + dataSource: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + namespace: + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + type: "object" + selector: + properties: + matchExpressions: + items: + properties: + key: + type: "string" + operator: + type: "string" + values: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + volumeAttributesClassName: + type: "string" + volumeMode: + type: "string" + volumeName: + type: "string" + type: "object" + required: + - "spec" + type: "object" volumeLimitSize: anyOf: - type: "integer" @@ -329,6 +441,118 @@ spec: x-kubernetes-int-or-string: true type: "object" type: "object" + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" + type: "object" + spec: + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + dataSource: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + namespace: + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + type: "object" + selector: + properties: + matchExpressions: + items: + properties: + key: + type: "string" + operator: + type: "string" + values: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + volumeAttributesClassName: + type: "string" + volumeMode: + type: "string" + volumeName: + type: "string" + type: "object" + required: + - "spec" + type: "object" volumeLimitSize: anyOf: - type: "integer" @@ -523,6 +747,118 @@ spec: x-kubernetes-int-or-string: true type: "object" type: "object" + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" + type: "object" + spec: + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + dataSource: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + namespace: + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + type: "object" + selector: + properties: + matchExpressions: + items: + properties: + key: + type: "string" + operator: + type: "string" + values: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + volumeAttributesClassName: + type: "string" + volumeMode: + type: "string" + volumeName: + type: "string" + type: "object" + required: + - "spec" + type: "object" volumeLimitSize: anyOf: - type: "integer" @@ -645,6 +981,118 @@ spec: x-kubernetes-int-or-string: true type: "object" type: "object" + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" + type: "object" + spec: + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + dataSource: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + namespace: + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + type: "object" + selector: + properties: + matchExpressions: + items: + properties: + key: + type: "string" + operator: + type: "string" + values: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + volumeAttributesClassName: + type: "string" + volumeMode: + type: "string" + volumeName: + type: "string" + type: "object" + required: + - "spec" + type: "object" volumeLimitSize: anyOf: - type: "integer" @@ -823,6 +1271,118 @@ spec: x-kubernetes-int-or-string: true type: "object" type: "object" + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" + type: "object" + spec: + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + dataSource: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + namespace: + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + type: "object" + selector: + properties: + matchExpressions: + items: + properties: + key: + type: "string" + operator: + type: "string" + values: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + volumeAttributesClassName: + type: "string" + volumeMode: + type: "string" + volumeName: + type: "string" + type: "object" + required: + - "spec" + type: "object" volumeLimitSize: anyOf: - type: "integer" @@ -933,6 +1493,118 @@ spec: x-kubernetes-int-or-string: true type: "object" type: "object" + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" + type: "object" + spec: + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + dataSource: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + namespace: + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + type: "object" + selector: + properties: + matchExpressions: + items: + properties: + key: + type: "string" + operator: + type: "string" + values: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + volumeAttributesClassName: + type: "string" + volumeMode: + type: "string" + volumeName: + type: "string" + type: "object" + required: + - "spec" + type: "object" volumeLimitSize: anyOf: - type: "integer" @@ -1056,6 +1728,118 @@ spec: x-kubernetes-int-or-string: true type: "object" type: "object" + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: "string" + type: "object" + finalizers: + items: + type: "string" + type: "array" + labels: + additionalProperties: + type: "string" + type: "object" + name: + type: "string" + namespace: + type: "string" + type: "object" + spec: + properties: + accessModes: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + dataSource: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + properties: + apiGroup: + type: "string" + kind: + type: "string" + name: + type: "string" + namespace: + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + type: "object" + selector: + properties: + matchExpressions: + items: + properties: + key: + type: "string" + operator: + type: "string" + values: + items: + type: "string" + type: "array" + x-kubernetes-list-type: "atomic" + required: + - "key" + - "operator" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + matchLabels: + additionalProperties: + type: "string" + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + type: "string" + volumeAttributesClassName: + type: "string" + volumeMode: + type: "string" + volumeName: + type: "string" + type: "object" + required: + - "spec" + type: "object" volumeLimitSize: anyOf: - type: "integer" diff --git a/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1beta1/opentelemetrycollectors.yaml b/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1beta1/opentelemetrycollectors.yaml index 7142af9de..3664b3ba7 100644 --- a/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1beta1/opentelemetrycollectors.yaml +++ b/crd-catalog/open-telemetry/opentelemetry-operator/opentelemetry.io/v1beta1/opentelemetrycollectors.yaml @@ -2419,6 +2419,13 @@ spec: type: "boolean" type: "object" type: "object" + persistentVolumeClaimRetentionPolicy: + properties: + whenDeleted: + type: "string" + whenScaled: + type: "string" + type: "object" podAnnotations: additionalProperties: type: "string" diff --git a/crd-catalog/openshift/hive/hive.openshift.io/v1/clusterdeploymentcustomizations.yaml b/crd-catalog/openshift/hive/hive.openshift.io/v1/clusterdeploymentcustomizations.yaml index 0cf7bf1bb..b6f760950 100644 --- a/crd-catalog/openshift/hive/hive.openshift.io/v1/clusterdeploymentcustomizations.yaml +++ b/crd-catalog/openshift/hive/hive.openshift.io/v1/clusterdeploymentcustomizations.yaml @@ -32,24 +32,34 @@ spec: installConfigPatches: description: "InstallConfigPatches is a list of patches to be applied to the install-config." items: - description: "PatchEntity represent a json patch (RFC 6902) to be applied to the install-config" + description: "PatchEntity represents a json patch (RFC 6902) to be applied" properties: from: description: "From is the json path to copy or move the value from" type: "string" op: - description: "Op is the operation to perform: add, remove, replace, move, copy, test" + description: "Op is the operation to perform." + enum: + - "add" + - "remove" + - "replace" + - "move" + - "copy" + - "test" type: "string" path: description: "Path is the json path to the value to be modified" type: "string" value: - description: "Value is the value to be used in the operation" + description: "Value is the *string* value to be used in the operation. For more complex values, use\nValueJSON." + type: "string" + valueJSON: + description: "ValueJSON is a string representing a JSON object to be used in the operation. As such,\ninternal quotes must be escaped. If nonempty, Value is ignored." + format: "byte" type: "string" required: - "op" - "path" - - "value" type: "object" type: "array" type: "object" diff --git a/crd-catalog/openshift/hive/hive.openshift.io/v1/hiveconfigs.yaml b/crd-catalog/openshift/hive/hive.openshift.io/v1/hiveconfigs.yaml index c502daada..aa3de39de 100644 --- a/crd-catalog/openshift/hive/hive.openshift.io/v1/hiveconfigs.yaml +++ b/crd-catalog/openshift/hive/hive.openshift.io/v1/hiveconfigs.yaml @@ -144,7 +144,8 @@ spec: type: "object" type: "object" clusterVersionPollInterval: - description: "ClusterVersionPollInterval is a string duration indicating how much time must pass before checking\nwhether we need to update the hive.openshift.io/version* labels on ClusterDeployment. If zero or unset,\nwe'll only reconcile when the ClusterDeployment changes." + description: "ClusterVersionPollInterval is a string duration indicating how much time must pass before checking\nwhether we need to update the hive.openshift.io/version* labels on ClusterDeployment. If zero or unset,\nwe'll only reconcile when the ClusterDeployment changes.\nThis is a Duration value; see https://pkg.go.dev/time#ParseDuration for accepted formats.\nNote: due to discrepancies in validation vs parsing, we use a Pattern instead of `Format=duration`. See\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2050332\nhttps://github.com/kubernetes/apimachinery/issues/131\nhttps://github.com/kubernetes/apiextensions-apiserver/issues/56" + pattern: "^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$" type: "string" controllersConfig: description: "ControllersConfig is used to configure different hive controllers" @@ -461,7 +462,8 @@ spec: description: "LogLevel is the level of logging to use for the Hive controllers.\nAcceptable levels, from coarsest to finest, are panic, fatal, error, warn, info, debug, and trace.\nThe default level is info." type: "string" machinePoolPollInterval: - description: "MachinePoolPollInterval is a string duration indicating how much time must pass before checking whether\nremote resources related to MachinePools need to be reapplied. Set to zero to disable polling -- we'll\nonly reconcile when hub objects change.\nThe default interval is 30m." + description: "MachinePoolPollInterval is a string duration indicating how much time must pass before checking whether\nremote resources related to MachinePools need to be reapplied. Set to zero to disable polling -- we'll\nonly reconcile when hub objects change.\nThe default interval is 30m.\nThis is a Duration value; see https://pkg.go.dev/time#ParseDuration for accepted formats.\nNote: due to discrepancies in validation vs parsing, we use a Pattern instead of `Format=duration`. See\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2050332\nhttps://github.com/kubernetes/apimachinery/issues/131\nhttps://github.com/kubernetes/apiextensions-apiserver/issues/56" + pattern: "^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$" type: "string" maintenanceMode: description: "MaintenanceMode can be set to true to disable the hive controllers in situations where we need to ensure\nnothing is running that will add or act upon finalizers on Hive types. This should rarely be needed.\nSets replicas to 0 for the hive-controllers deployment to accomplish this." @@ -649,7 +651,8 @@ spec: type: "object" type: "object" syncSetReapplyInterval: - description: "SyncSetReapplyInterval is a string duration indicating how much time must pass before SyncSet resources\nwill be reapplied.\nThe default reapply interval is two hours." + description: "SyncSetReapplyInterval is a string duration indicating how much time must pass before SyncSet resources\nwill be reapplied.\nThe default reapply interval is two hours.\nThis is a Duration value; see https://pkg.go.dev/time#ParseDuration for accepted formats.\nNote: due to discrepancies in validation vs parsing, we use a Pattern instead of `Format=duration`. See\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2050332\nhttps://github.com/kubernetes/apimachinery/issues/131\nhttps://github.com/kubernetes/apiextensions-apiserver/issues/56" + pattern: "^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$" type: "string" targetNamespace: description: "TargetNamespace is the namespace where the core Hive components should be run. Defaults to \"hive\". Will be\ncreated if it does not already exist. All resource references in HiveConfig can be assumed to be in the\nTargetNamespace.\nNOTE: Whereas it is possible to edit this value, causing hive to \"move\" its core components to the new\nnamespace, the old namespace is not deleted, as it will still contain resources created by kubernetes\nand/or other OpenShift controllers." diff --git a/crd-catalog/projectcalico/calico/crd.projectcalico.org/v1/felixconfigurations.yaml b/crd-catalog/projectcalico/calico/crd.projectcalico.org/v1/felixconfigurations.yaml index 83bd0644b..a56337704 100644 --- a/crd-catalog/projectcalico/calico/crd.projectcalico.org/v1/felixconfigurations.yaml +++ b/crd-catalog/projectcalico/calico/crd.projectcalico.org/v1/felixconfigurations.yaml @@ -29,13 +29,13 @@ spec: description: "FelixConfigurationSpec contains the values of the Felix configuration." properties: allowIPIPPacketsFromWorkloads: - description: "AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic from workloads [Default: false]" + description: "AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic from workloads. [Default: false]" type: "boolean" allowVXLANPacketsFromWorkloads: - description: "AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic from workloads [Default: false]" + description: "AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic from workloads. [Default: false]" type: "boolean" awsSrcDstCheck: - description: "Set source-destination-check on AWS EC2 instances. Accepted value must be one of \"DoNothing\", \"Enable\" or \"Disable\". [Default: DoNothing]" + description: "AWSSrcDstCheck controls whether Felix will try to change the \"source/dest check\" setting on the EC2 instance on which it is running. A value of \"Disable\" will try to disable the source/dest check. Disabling the check allows for sending workload traffic without encapsulation within the same AWS subnet. [Default: DoNothing]" enum: - "DoNothing" - "Enable" @@ -52,10 +52,10 @@ spec: - "Disabled" type: "string" bpfConnectTimeLoadBalancingEnabled: - description: "BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging purposes. This will be deprecated. Use BPFConnectTimeLoadBalancing [Default: true]" + description: "BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging purposes. \n Deprecated: Use BPFConnectTimeLoadBalancing [Default: true]" type: "boolean" bpfDSROptoutCIDRs: - description: "BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients in those CIDRs will accesses nodeports as if BPFExternalServiceMode was set to Tunnel." + description: "BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients in those CIDRs will access service node ports as if BPFExternalServiceMode was set to Tunnel." items: type: "string" type: "array" @@ -81,7 +81,7 @@ spec: type: "string" type: "array" bpfExtToServiceConnmark: - description: "BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local service. This mark allows us to control how packets of that connection are routed within the host and how is routing interpreted by RPF check. [Default: 0]" + description: "BPFExtToServiceConnmark in BPF mode, controls a 32bit mark that is set on connections from an external client to a local service. This mark allows us to control how packets of that connection are routed within the host and how is routing interpreted by RPF check. [Default: 0]" type: "integer" bpfExternalServiceMode: description: "BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports and cluster IPs) are forwarded to remote workloads. If set to \"Tunnel\" then both request and response traffic is tunneled to the remote node. If set to \"DSR\", the request traffic is tunneled but the response traffic is sent directly from the remote node. In \"DSR\" mode, the remote node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]" @@ -133,12 +133,13 @@ spec: description: "BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry for each device (host + workloads) on a host." type: "integer" bpfMapSizeNATAffinity: + description: "BPFMapSizeNATAffinity sets the size of the BPF map that stores the affinity of a connection (for services that enable that feature." type: "integer" bpfMapSizeNATBackend: - description: "BPFMapSizeNATBackend sets the size for nat back end map. This is the total number of endpoints. This is mostly more than the size of the number of services." + description: "BPFMapSizeNATBackend sets the size for NAT back end map. This is the total number of endpoints. This is mostly more than the size of the number of services." type: "integer" bpfMapSizeNATFrontend: - description: "BPFMapSizeNATFrontend sets the size for nat front end map. FrontendMap should be large enough to hold an entry for each nodeport, external IP and each port in each service." + description: "BPFMapSizeNATFrontend sets the size for NAT front end map. FrontendMap should be large enough to hold an entry for each nodeport, external IP and each port in each service." type: "integer" bpfMapSizeRoute: description: "BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs)." @@ -155,66 +156,78 @@ spec: type: "boolean" bpfRedirectToPeer: description: "BPFRedirectToPeer controls which whether it is allowed to forward straight to the peer side of the workload devices. It is allowed for any host L2 devices by default (L2Only), but it breaks TCP dump on the host side of workload device as it bypasses it on ingress. Value of Enabled also allows redirection from L3 host devices like IPIP tunnel or Wireguard directly to the peer side of the workload's device. This makes redirection faster, however, it breaks tools like tcpdump on the peer side. Use Enabled with caution. [Default: L2Only]" + enum: + - "Enabled" + - "Disabled" + - "L2Only" type: "string" chainInsertMode: description: "ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: insert]" - pattern: "^(?i)(insert|append)?$" + pattern: "^(?i)(Insert|Append)?$" type: "string" dataplaneDriver: description: "DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver is set to false." type: "string" dataplaneWatchdogTimeout: - description: "DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live or non-ready more quickly. [Default: 90s] \n Deprecated: replaced by the generic HealthTimeoutOverrides." + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. Deprecated: replaced by the generic HealthTimeoutOverrides." type: "string" debugDisableLogDropping: + description: "DebugDisableLogDropping disables the dropping of log messages when the log buffer is full. This can significantly impact performance if log write-out is a bottleneck. [Default: false]" type: "boolean" debugHost: description: "DebugHost is the host IP or hostname to bind the debug port to. Only used if DebugPort is set. [Default:localhost]" type: "string" debugMemoryProfilePath: + description: "DebugMemoryProfilePath is the path to write the memory profile to when triggered by signal." type: "string" debugPort: description: "DebugPort if set, enables Felix's debug HTTP port, which allows memory and CPU profiles to be retrieved. The debug port is not secure, it should not be exposed to the internet." type: "integer" debugSimulateCalcGraphHangAfter: + description: "DebugSimulateCalcGraphHangAfter is used to simulate a hang in the calculation graph after the specified duration. This is useful in tests of the watchdog system only!" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" debugSimulateDataplaneApplyDelay: + description: "DebugSimulateDataplaneApplyDelay adds an artificial delay to every dataplane operation. This is useful for simulating a heavily loaded system for test purposes only." pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" debugSimulateDataplaneHangAfter: + description: "DebugSimulateDataplaneHangAfter is used to simulate a hang in the dataplane after the specified duration. This is useful in tests of the watchdog system only!" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" defaultEndpointToHostAction: - description: "DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an iptables \"DROP\" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables \"INPUT\" chain; Calico will insert its rules at the top of that chain, then \"RETURN\" packets to the \"INPUT\" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]" + description: "DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host itself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload endpoints to the host itself with an iptables \"DROP\" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables \"INPUT\" chain; Calico will insert its rules at the top of that chain, then \"RETURN\" packets to the \"INPUT\" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]" pattern: "^(?i)(Drop|Accept|Return)?$" type: "string" deviceRouteProtocol: - description: "This defines the route protocol added to programmed device routes, by default this will be RTPROT_BOOT when left blank." + description: "DeviceRouteProtocol controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label used to identify the owner of the route." type: "integer" deviceRouteSourceAddress: - description: "This is the IPv4 source address to use on programmed device routes. By default the source address is left blank, leaving the kernel to choose the source address used." + description: "DeviceRouteSourceAddress IPv4 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel." type: "string" deviceRouteSourceAddressIPv6: - description: "This is the IPv6 source address to use on programmed device routes. By default the source address is left blank, leaving the kernel to choose the source address used." + description: "DeviceRouteSourceAddressIPv6 IPv6 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel." type: "string" disableConntrackInvalidCheck: + description: "DisableConntrackInvalidCheck disables the check for invalid connections in conntrack. While the conntrack invalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios." type: "boolean" endpointReportingDelay: + description: "EndpointReportingDelay is the delay before Felix reports endpoint status to the datastore. This is only used by the OpenStack integration. [Default: 1s]" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" endpointReportingEnabled: + description: "EndpointReportingEnabled controls whether Felix reports endpoint status to the datastore. This is only used by the OpenStack integration. [Default: false]" type: "boolean" endpointStatusPathPrefix: - description: "EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status file reporting is disabled if field is left empty. \n Chosen directory should match the directory used by the CNI for PodStartupDelay. [Default: \"\"]" + description: "EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status file reporting is disabled if field is left empty. \n Chosen directory should match the directory used by the CNI plugin for PodStartupDelay. [Default: \"\"]" type: "string" externalNodesList: - description: "ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have the tunneled traffic be accepted at calico nodes." + description: "ExternalNodesCIDRList is a list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic will be allowed. By default, external tunneled traffic is blocked to reduce attack surface." items: type: "string" type: "array" failsafeInboundHostPorts: - description: "FailsafeInboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value \"[]\". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]" + description: "FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value \"[]\". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]" items: description: "ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified." properties: @@ -226,11 +239,10 @@ spec: type: "string" required: - "port" - - "protocol" type: "object" type: "array" failsafeOutboundHostPorts: - description: "FailsafeOutboundHostPorts is a list of List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value \"[]\". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]" + description: "FailsafeOutboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value \"[]\". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]" items: description: "ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified." properties: @@ -242,11 +254,10 @@ spec: type: "string" required: - "port" - - "protocol" type: "object" type: "array" featureDetectOverride: - description: "FeatureDetectOverride is used to override feature detection based on auto-detected platform capabilities. Values are specified in a comma separated list with no spaces, example; \"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\". \"true\" or \"false\" will force the feature, empty or omitted values are auto-detected." + description: "FeatureDetectOverride is used to override feature detection based on auto-detected platform capabilities. Values are specified in a comma separated list with no spaces, example; \"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\". A value of \"true\" or \"false\" will force enable/disable feature, empty or omitted values fall back to auto-detection." pattern: "^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$" type: "string" featureGates: @@ -272,10 +283,13 @@ spec: description: "GoMemoryLimitMB sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to take more than 50% of the process's CPU time. A value of -1 disables the memory limit. \n Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container or pod level. This is because felix is not the only process that must run in the container or pod. \n This setting is overridden by the GOMEMLIMIT environment variable. \n [Default: -1]" type: "integer" healthEnabled: + description: "HealthEnabled if set to true, enables Felix's health port, which provides readiness and liveness endpoints. [Default: false]" type: "boolean" healthHost: + description: "HealthHost is the host that the health server should bind to. [Default: localhost]" type: "string" healthPort: + description: "HealthPort is the TCP port that the health server should bind to. [Default: 9099]" type: "integer" healthTimeoutOverrides: description: "HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be overridden. This is useful for working around \"false positive\" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs." @@ -291,7 +305,7 @@ spec: type: "object" type: "array" interfaceExclude: - description: "InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The default value ensures that Felix ignores Kubernetes' IPVS dummy interface, which is used internally by kube-proxy. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with '/'. For example having values '/^kube/,veth1' will exclude all interfaces that begin with 'kube' and also the interface 'veth1'. [Default: kube-ipvs0]" + description: "InterfaceExclude A comma-separated list of interface names that should be excluded when Felix is resolving host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude all interfaces that begin with `kube` and also the interface `veth1`. [Default: kube-ipvs0]" type: "string" interfacePrefix: description: "InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, and our OpenStack integration sets the 'tap' value. [Default: cali]" @@ -301,7 +315,7 @@ spec: pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" ipForwarding: - description: "IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required when using Calico for workload networking. This should only be disabled on hosts where Calico is used for host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF must be disabled. [Default: Enabled]" + description: "IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required when using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF must be disabled. [Default: Enabled]" enum: - "Enabled" - "Disabled" @@ -310,17 +324,18 @@ spec: description: "IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]" type: "boolean" ipipMTU: - description: "IPIPMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]" + description: "IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the MTU of the host's interfaces. [Default: 0 (auto-detect)]" type: "integer" ipsetsRefreshInterval: - description: "IpsetsRefreshInterval is the period at which Felix re-checks all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. [Default: 90s]" + description: "IpsetsRefreshInterval controls the period at which Felix re-checks all IP sets to look for discrepancies. Set to 0 to disable the periodic refresh. [Default: 90s]" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" iptablesBackend: - description: "IptablesBackend specifies which backend of iptables will be used. The default is Auto." - pattern: "^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$" + description: "IptablesBackend controls which backend of iptables will be used. The default is `Auto`. \n Warning: changing this on a running system can leave \"orphaned\" rules in the \"other\" backend. These should be cleaned up to avoid confusing interactions." + pattern: "^(?i)(Auto|Legacy|NFT)?$" type: "string" iptablesFilterAllowAction: + description: "IptablesFilterAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the iptables filter table (which is used for \"normal\" policy). The default will immediately `Accept` the traffic. Use `Return` to send the traffic back up to the system chains for further processing." pattern: "^(?i)(Accept|Return)?$" type: "string" iptablesFilterDenyAction: @@ -331,21 +346,23 @@ spec: description: "IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in its standard location (for example if you have mapped it into Felix's container at a different path). [Default: /run/xtables.lock]" type: "string" iptablesLockProbeInterval: - description: "IptablesLockProbeInterval is the time that Felix will wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended, but use more CPU. [Default: 50ms]" + description: "IptablesLockProbeInterval when IptablesLockTimeout is enabled: the time that Felix will wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended, but use more CPU. [Default: 50ms]" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" iptablesLockTimeout: - description: "IptablesLockTimeout is the time that Felix will wait for the iptables lock, or 0, to disable. To use this feature, Felix must share the iptables lock file with all other processes that also take the lock. When running Felix inside a container, this requires the /run directory of the host to be mounted into the calico/node or calico/felix container. [Default: 0s disabled]" + description: "IptablesLockTimeout is the time that Felix itself will wait for the iptables lock (rather than delegating the lock handling to the `iptables` command). \n Deprecated: `iptables-restore` v1.8+ always takes the lock, so enabling this feature results in deadlock. [Default: 0s disabled]" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" iptablesMangleAllowAction: + description: "IptablesMangleAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the iptables mangle table (which is used for \"pre-DNAT\" policy). The default will immediately `Accept` the traffic. Use `Return` to send the traffic back up to the system chains for further processing." pattern: "^(?i)(Accept|Return)?$" type: "string" iptablesMarkMask: - description: "IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xff000000]" + description: "IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000]" format: "int32" type: "integer" iptablesNATOutgoingInterfaceFilter: + description: "This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a Calico IPAM pool with \"NAT outgoing\" enabled. This can be useful if you have a main data interface, where traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and doesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you want to exclude the docker bridge, you could set this to eth+" type: "string" iptablesPostWriteCheckInterval: description: "IptablesPostWriteCheckInterval is the period after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn't respect the iptables lock. [Default: 1s]" @@ -401,7 +418,7 @@ spec: description: "MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order to calculate the host's MTU. This should not match workload interfaces (usually named cali...)." type: "string" natOutgoingAddress: - description: "NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that is leaving the network. By default the address used is an address on the interface the traffic is leaving on (ie it uses the iptables MASQUERADE target)" + description: "NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that is leaving the network. By default the address used is an address on the interface the traffic is leaving on (i.e. it uses the iptables MASQUERADE target)." type: "string" natPortRange: anyOf: @@ -411,24 +428,31 @@ spec: pattern: "^.*" x-kubernetes-int-or-string: true netlinkTimeout: + description: "NetlinkTimeout is the timeout when talking to the kernel over the netlink protocol, used for programming routes, rules, and other kernel objects. [Default: 10s]" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" nftablesFilterAllowAction: + description: "NftablesFilterAllowAction controls the nftables action that Felix uses to represent the \"allow\" policy verdict in the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules." pattern: "^(?i)(Accept|Return)?$" type: "string" nftablesFilterDenyAction: - description: "FilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic with a \"drop\" action. If you want to use a \"reject\" action instead you can configure it here." + description: "NftablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default, Calico blocks traffic with a \"drop\" action. If you want to use a \"reject\" action instead you can configure it here." pattern: "^(?i)(Drop|Reject)?$" type: "string" nftablesMangleAllowAction: + description: "NftablesMangleAllowAction controls the nftables action that Felix uses to represent the \"allow\" policy verdict in the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules." pattern: "^(?i)(Accept|Return)?$" type: "string" nftablesMarkMask: - description: "MarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000]" + description: "NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000]" format: "int32" type: "integer" nftablesMode: description: "NFTablesMode configures nftables support in Felix. [Default: Disabled]" + enum: + - "Disabled" + - "Enabled" + - "Auto" type: "string" nftablesRefreshInterval: description: "NftablesRefreshInterval controls the interval at which Felix periodically refreshes the nftables rules. [Default: 90s]" @@ -458,7 +482,7 @@ spec: description: "PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]" type: "boolean" removeExternalRoutes: - description: "Whether or not to remove device routes that have not been programmed by Felix. Disabling this will allow external applications to also add device routes. This is enabled by default which means we will remove externally added routes." + description: "RemoveExternalRoutes Controls whether Felix will remove unexpected routes to workload interfaces. Felix will always clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must use a distinct protocol (in addition to setting this field to false)." type: "boolean" reportingInterval: description: "ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. Must be non-zero in OpenStack deployments. [Default: 30s]" @@ -528,17 +552,19 @@ spec: description: "VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]" type: "boolean" vxlanMTU: - description: "VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. See Configuring MTU [Default: 1410]" + description: "VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the MTU of the host's interfaces. [Default: 0 (auto-detect)]" type: "integer" vxlanMTUV6: - description: "VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. See Configuring MTU [Default: 1390]" + description: "VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the MTU of the host's interfaces. [Default: 0 (auto-detect)]" type: "integer" vxlanPort: + description: "VXLANPort is the UDP port number to use for VXLAN traffic. [Default: 4789]" type: "integer" vxlanVNI: + description: "VXLANVNI is the VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is in use on your system. [Default: 4096]" type: "integer" windowsManageFirewallRules: - description: "WindowsManageFirewallRules configures whether or not Felix will program Windows Firewall rules. (to allow inbound access to its own metrics ports) [Default: Disabled]" + description: "WindowsManageFirewallRules configures whether or not Felix will program Windows Firewall rules (to allow inbound access to its own metrics ports). [Default: Disabled]" enum: - "Enabled" - "Disabled" @@ -559,7 +585,7 @@ spec: description: "WireguardInterfaceNameV6 specifies the name to use for the IPv6 Wireguard interface. [Default: wg-v6.cali]" type: "string" wireguardKeepAlive: - description: "WireguardKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]" + description: "WireguardPersistentKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]" pattern: "^([0-9]+(\\\\.[0-9]+)?(ms|s|m|h))*$" type: "string" wireguardListeningPort: diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml index dc2aa78ce..0cdba8c4d 100644 --- a/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "httpproxies.projectcontour.io" spec: group: "projectcontour.io" @@ -461,6 +461,8 @@ spec: description: "HeaderName is the name of the HTTP request header that will be used to\ncalculate the hash key. If the header specified is not present on a\nrequest, no hash will be produced." minLength: 1 type: "string" + required: + - "headerName" type: "object" queryParameterHashOptions: description: "QueryParameterHashOptions should be set when request query parameter hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." @@ -469,6 +471,8 @@ spec: description: "ParameterName is the name of the HTTP request query parameter that will be used to\ncalculate the hash key. If the query parameter specified is not present on a\nrequest, no hash will be produced." minLength: 1 type: "string" + required: + - "parameterName" type: "object" terminal: description: "Terminal is a flag that allows for short-circuiting computing of a hash\nfor a given request. If set to true, and the request attribute specified\nin the attribute hash options is present, no further hash policies will\nbe used to calculate a hash for the request." @@ -529,6 +533,8 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" remoteAddress: description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." @@ -544,6 +550,9 @@ spec: description: "HeaderName defines the name of the header to look for on the request." minLength: 1 type: "string" + required: + - "descriptorKey" + - "headerName" type: "object" requestHeaderValueMatch: description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." @@ -596,10 +605,14 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" type: "object" minItems: 1 type: "array" + required: + - "entries" type: "object" minItems: 1 type: "array" @@ -1059,6 +1072,8 @@ spec: description: "HeaderName is the name of the HTTP request header that will be used to\ncalculate the hash key. If the header specified is not present on a\nrequest, no hash will be produced." minLength: 1 type: "string" + required: + - "headerName" type: "object" queryParameterHashOptions: description: "QueryParameterHashOptions should be set when request query parameter hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." @@ -1067,6 +1082,8 @@ spec: description: "ParameterName is the name of the HTTP request query parameter that will be used to\ncalculate the hash key. If the query parameter specified is not present on a\nrequest, no hash will be produced." minLength: 1 type: "string" + required: + - "parameterName" type: "object" terminal: description: "Terminal is a flag that allows for short-circuiting computing of a hash\nfor a given request. If set to true, and the request attribute specified\nin the attribute hash options is present, no further hash policies will\nbe used to calculate a hash for the request." @@ -1519,6 +1536,8 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" remoteAddress: description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." @@ -1534,6 +1553,9 @@ spec: description: "HeaderName defines the name of the header to look for on the request." minLength: 1 type: "string" + required: + - "descriptorKey" + - "headerName" type: "object" requestHeaderValueMatch: description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." @@ -1586,10 +1608,14 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" type: "object" minItems: 1 type: "array" + required: + - "entries" type: "object" minItems: 1 type: "array" @@ -1780,7 +1806,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" @@ -1855,7 +1881,7 @@ spec: items: properties: error: - description: "Error is to record the problem with the service port\nThe format of the error shall comply with the following rules:\n- built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.\n---\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "Error is to record the problem with the service port\nThe format of the error shall comply with the following rules:\n- built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" @@ -1864,10 +1890,10 @@ spec: format: "int32" type: "integer" protocol: - default: "TCP" description: "Protocol is the protocol of the service port of which status is recorded here\nThe supported values are: \"TCP\", \"UDP\", \"SCTP\"" type: "string" required: + - "error" - "port" - "protocol" type: "object" diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml index d739531a8..9b2807309 100644 --- a/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "tlscertificatedelegations.projectcontour.io" spec: group: "projectcontour.io" @@ -121,7 +121,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml index 21902cdf3..3913c5583 100644 --- a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "contourconfigurations.projectcontour.io" spec: group: "projectcontour.io" @@ -531,6 +531,8 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" remoteAddress: description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." @@ -546,6 +548,9 @@ spec: description: "HeaderName defines the name of the header to look for on the request." minLength: 1 type: "string" + required: + - "descriptorKey" + - "headerName" type: "object" requestHeaderValueMatch: description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." @@ -598,10 +603,14 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" type: "object" minItems: 1 type: "array" + required: + - "entries" type: "object" minItems: 1 type: "array" @@ -783,7 +792,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml index b6bd94b51..c10728b49 100644 --- a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "contourdeployments.projectcontour.io" spec: group: "projectcontour.io" @@ -47,7 +47,7 @@ spec: description: "Strategy describes the deployment strategy to use to replace existing pods with new pods." properties: rollingUpdate: - description: "Rolling update config params. Present only if DeploymentStrategyType =\nRollingUpdate.\n---\nTODO: Update this to follow our convention for oneOf, whatever we decide it\nto be." + description: "Rolling update config params. Present only if DeploymentStrategyType =\nRollingUpdate." properties: maxSurge: anyOf: @@ -140,6 +140,9 @@ spec: name: description: "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container." type: "string" + request: + description: "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request." + type: "string" required: - "name" type: "object" @@ -193,7 +196,7 @@ spec: description: "Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods." properties: rollingUpdate: - description: "Rolling update config params. Present only if type = \"RollingUpdate\".\n---\nTODO: Update this to follow our convention for oneOf, whatever we decide it\nto be. Same as Deployment `strategy.rollingUpdate`.\nSee https://github.com/kubernetes/kubernetes/issues/35345" + description: "Rolling update config params. Present only if type = \"RollingUpdate\"." properties: maxSurge: anyOf: @@ -225,7 +228,7 @@ spec: description: "Strategy describes the deployment strategy to use to replace existing pods with new pods." properties: rollingUpdate: - description: "Rolling update config params. Present only if DeploymentStrategyType =\nRollingUpdate.\n---\nTODO: Update this to follow our convention for oneOf, whatever we decide it\nto be." + description: "Rolling update config params. Present only if DeploymentStrategyType =\nRollingUpdate." properties: maxSurge: anyOf: @@ -285,7 +288,7 @@ spec: description: "awsElasticBlockStore represents an AWS Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" properties: fsType: - description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore\nTODO: how do we prevent errors in the filesystem from compromising the machine" + description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" type: "string" partition: description: "partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty)." @@ -313,12 +316,14 @@ spec: description: "diskURI is the URI of data disk in the blob storage" type: "string" fsType: + default: "ext4" description: "fsType is Filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified." type: "string" kind: description: "kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared" type: "string" readOnly: + default: false description: "readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." type: "boolean" required: @@ -364,7 +369,7 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" @@ -388,7 +393,7 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" @@ -428,7 +433,7 @@ spec: x-kubernetes-list-type: "atomic" name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" optional: description: "optional specify whether the ConfigMap or its keys must be defined" @@ -449,7 +454,7 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" @@ -649,7 +654,7 @@ spec: description: "storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1" type: "string" volumeAttributesClassName: - description: "volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string value means that no VolumeAttributesClass\nwill be applied to the claim but it's not allowed to reset this field to empty string once it is set.\nIf unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass\nwill be set by the persistentvolume controller if it exists.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/\n(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled." + description: "volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string value means that no VolumeAttributesClass\nwill be applied to the claim but it's not allowed to reset this field to empty string once it is set.\nIf unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass\nwill be set by the persistentvolume controller if it exists.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/\n(Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default)." type: "string" volumeMode: description: "volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec." @@ -666,7 +671,7 @@ spec: description: "fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod." properties: fsType: - description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nTODO: how do we prevent errors in the filesystem from compromising the machine" + description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified." type: "string" lun: description: "lun is Optional: FC target lun number" @@ -710,7 +715,7 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" @@ -731,7 +736,7 @@ spec: description: "gcePersistentDisk represents a GCE Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" properties: fsType: - description: "fsType is filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk\nTODO: how do we prevent errors in the filesystem from compromising the machine" + description: "fsType is filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" type: "string" partition: description: "partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" @@ -778,7 +783,7 @@ spec: - "path" type: "object" hostPath: - description: "hostPath represents a pre-existing file or directory on the host\nmachine that is directly exposed to the container. This is generally\nused for system agents or other privileged things that are allowed\nto see the host machine. Most containers will NOT need this.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath\n---\nTODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not\nmount host directories as read/write." + description: "hostPath represents a pre-existing file or directory on the host\nmachine that is directly exposed to the container. This is generally\nused for system agents or other privileged things that are allowed\nto see the host machine. Most containers will NOT need this.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath" properties: path: description: "path of the directory on the host.\nIf the path is a symlink, it will follow the link to the real path.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath" @@ -789,6 +794,16 @@ spec: required: - "path" type: "object" + image: + description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.\nThe volume is resolved at pod startup depending on which PullPolicy value is provided:\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\n- Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\n- IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.\nA failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.\nThe types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.\nThe OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.\nThe volume will be mounted read-only (ro) and non-executable files (noexec).\nSub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).\nThe field spec.securityContext.fsGroupChangePolicy has no effect on this volume type." + properties: + pullPolicy: + description: "Policy for pulling OCI objects. Possible values are:\nAlways: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\nNever: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\nIfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise." + type: "string" + reference: + description: "Required: Image or artifact reference to be used.\nBehaves in the same way as pod.spec.containers[*].image.\nPull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets." + type: "string" + type: "object" iscsi: description: "iscsi represents an ISCSI Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://examples.k8s.io/volumes/iscsi/README.md" properties: @@ -799,7 +814,7 @@ spec: description: "chapAuthSession defines whether support iSCSI Session CHAP authentication" type: "boolean" fsType: - description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi\nTODO: how do we prevent errors in the filesystem from compromising the machine" + description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi" type: "string" initiatorName: description: "initiatorName is the custom iSCSI Initiator Name.\nIf initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface\n: will be created for the connection." @@ -808,6 +823,7 @@ spec: description: "iqn is the target iSCSI Qualified Name." type: "string" iscsiInterface: + default: "default" description: "iscsiInterface is the interface Name that uses an iSCSI transport.\nDefaults to 'default' (tcp)." type: "string" lun: @@ -828,7 +844,7 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" @@ -906,9 +922,9 @@ spec: format: "int32" type: "integer" sources: - description: "sources is the list of volume projections" + description: "sources is the list of volume projections. Each entry in this list\nhandles one source." items: - description: "Projection that may be projected along with other supported volume types" + description: "Projection that may be projected along with other supported volume types.\nExactly one of these fields must be set." properties: clusterTrustBundle: description: "ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field\nof ClusterTrustBundle objects in an auto-updating file.\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\nClusterTrustBundle objects can either be selected by name, or by the\ncombination of signer name and a label selector.\nKubelet performs aggressive normalization of the PEM contents written\ninto the pod filesystem. Esoteric PEM features such as inter-block\ncomments and block headers are stripped. Certificates are deduplicated.\nThe ordering of certificates within the file is arbitrary, and Kubelet\nmay change the order over time." @@ -987,7 +1003,7 @@ spec: x-kubernetes-list-type: "atomic" name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" optional: description: "optional specify whether the ConfigMap or its keys must be defined" @@ -1074,7 +1090,7 @@ spec: x-kubernetes-list-type: "atomic" name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" optional: description: "optional field specify whether the Secret or its key must be defined" @@ -1130,12 +1146,13 @@ spec: description: "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.\nMore info: https://examples.k8s.io/volumes/rbd/README.md" properties: fsType: - description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#rbd\nTODO: how do we prevent errors in the filesystem from compromising the machine" + description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#rbd" type: "string" image: description: "image is the rados image name.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" type: "string" keyring: + default: "/etc/ceph/keyring" description: "keyring is the path to key ring for RBDUser.\nDefault is /etc/ceph/keyring.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" type: "string" monitors: @@ -1145,6 +1162,7 @@ spec: type: "array" x-kubernetes-list-type: "atomic" pool: + default: "rbd" description: "pool is the rados pool name.\nDefault is rbd.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" type: "string" readOnly: @@ -1155,11 +1173,12 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" user: + default: "admin" description: "user is the rados user name.\nDefault is admin.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" type: "string" required: @@ -1170,6 +1189,7 @@ spec: description: "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." properties: fsType: + default: "xfs" description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\".\nDefault is \"xfs\"." type: "string" gateway: @@ -1186,7 +1206,7 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" @@ -1194,6 +1214,7 @@ spec: description: "sslEnabled Flag enable/disable SSL communication with Gateway, default false" type: "boolean" storageMode: + default: "ThinProvisioned" description: "storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.\nDefault is ThinProvisioned." type: "string" storagePool: @@ -1259,7 +1280,7 @@ spec: properties: name: default: "" - description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896." + description: "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: "string" type: "object" x-kubernetes-map-type: "atomic" @@ -1370,6 +1391,9 @@ spec: name: description: "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container." type: "string" + request: + description: "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request." + type: "string" required: - "name" type: "object" @@ -1907,6 +1931,8 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" remoteAddress: description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." @@ -1922,6 +1948,9 @@ spec: description: "HeaderName defines the name of the header to look for on the request." minLength: 1 type: "string" + required: + - "descriptorKey" + - "headerName" type: "object" requestHeaderValueMatch: description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." @@ -1974,10 +2003,14 @@ spec: description: "Value defines the value of the descriptor entry." minLength: 1 type: "string" + required: + - "value" type: "object" type: "object" minItems: 1 type: "array" + required: + - "entries" type: "object" minItems: 1 type: "array" @@ -2097,7 +2130,7 @@ spec: conditions: description: "Conditions describe the current conditions of the ContourDeployment resource." items: - description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + description: "Condition contains details for one aspect of the current state of this API Resource." properties: lastTransitionTime: description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." @@ -2126,7 +2159,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml index b7c695e67..f638ecc9d 100644 --- a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "extensionservices.projectcontour.io" spec: group: "projectcontour.io" @@ -75,6 +75,8 @@ spec: description: "HeaderName is the name of the HTTP request header that will be used to\ncalculate the hash key. If the header specified is not present on a\nrequest, no hash will be produced." minLength: 1 type: "string" + required: + - "headerName" type: "object" queryParameterHashOptions: description: "QueryParameterHashOptions should be set when request query parameter hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." @@ -83,6 +85,8 @@ spec: description: "ParameterName is the name of the HTTP request query parameter that will be used to\ncalculate the hash key. If the query parameter specified is not present on a\nrequest, no hash will be produced." minLength: 1 type: "string" + required: + - "parameterName" type: "object" terminal: description: "Terminal is a flag that allows for short-circuiting computing of a hash\nfor a given request. If set to true, and the request attribute specified\nin the attribute hash options is present, no further hash policies will\nbe used to calculate a hash for the request." @@ -243,7 +247,7 @@ spec: - "Unknown" type: "string" type: - description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: "type of condition in CamelCase or in foo.example.com/CamelCase." maxLength: 316 pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" type: "string" diff --git a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/podmonitors.yaml b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/podmonitors.yaml index b0c032d88..6fcebb633 100644 --- a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/podmonitors.yaml +++ b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/podmonitors.yaml @@ -75,6 +75,17 @@ spec: type: "string" type: "array" type: "object" + nativeHistogramBucketLimit: + description: "If there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0." + format: "int64" + type: "integer" + nativeHistogramMinBucketFactor: + anyOf: + - type: "integer" + - type: "string" + description: "If the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0." + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true podMetricsEndpoints: description: "Defines how to scrape metrics from the selected pods." items: @@ -690,6 +701,9 @@ spec: description: "The scrape class to apply." minLength: 1 type: "string" + scrapeClassicHistograms: + description: "Whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0." + type: "boolean" scrapeProtocols: description: "`scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0." items: diff --git a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/probes.yaml b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/probes.yaml index 1c262518a..fa5fdd6ef 100644 --- a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/probes.yaml +++ b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/probes.yaml @@ -195,6 +195,17 @@ spec: module: description: "The module to use for probing specifying how to probe the target.\nExample module configuring in the blackbox exporter:\nhttps://github.com/prometheus/blackbox_exporter/blob/master/example.yml" type: "string" + nativeHistogramBucketLimit: + description: "If there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0." + format: "int64" + type: "integer" + nativeHistogramMinBucketFactor: + anyOf: + - type: "integer" + - type: "string" + description: "If the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0." + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true oauth2: description: "OAuth2 for the URL. Only valid in Prometheus versions 2.27.0 and newer." properties: @@ -454,6 +465,9 @@ spec: description: "The scrape class to apply." minLength: 1 type: "string" + scrapeClassicHistograms: + description: "Whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0." + type: "boolean" scrapeProtocols: description: "`scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0." items: diff --git a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/prometheuses.yaml b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/prometheuses.yaml index a6166b0e0..cb591ec7a 100644 --- a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/prometheuses.yaml +++ b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/prometheuses.yaml @@ -4225,6 +4225,12 @@ spec: type: "string" description: "Custom HTTP headers to be sent along with each remote write request.\nBe aware that headers that are set by Prometheus itself can't be overwritten.\n\nIt requires Prometheus >= v2.25.0." type: "object" + messageVersion: + description: "The Remote Write message's version to use when writing to the endpoint.\n\n`Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0.\n`Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0.\n\nWhen `Version2.0` is selected, Prometheus will automatically be\nconfigured to append the metadata of scraped metrics to the WAL.\n\nBefore setting this field, consult with your remote storage provider\nwhat message version it supports.\n\nIt requires Prometheus >= v2.54.0." + enum: + - "V1.0" + - "V2.0" + type: "string" metadataConfig: description: "MetadataConfig configures the sending of series metadata to the remote storage." properties: @@ -4544,7 +4550,7 @@ spec: pattern: "^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$" type: "string" sendExemplars: - description: "Enables sending of exemplars over remote write. Note that\nexemplar-storage itself must be enabled using the `spec.enableFeature`\noption for exemplars to be scraped in the first place.\n\nIt requires Prometheus >= v2.27.0." + description: "Enables sending of exemplars over remote write. Note that\nexemplar-storage itself must be enabled using the `spec.enableFeatures`\noption for exemplars to be scraped in the first place.\n\nIt requires Prometheus >= v2.27.0." type: "boolean" sendNativeHistograms: description: "Enables sending of native histograms, also known as sparse histograms\nover remote write.\n\nIt requires Prometheus >= v2.40.0." @@ -4726,6 +4732,7 @@ spec: type: "object" url: description: "The URL of the endpoint to send samples to." + minLength: 1 type: "string" writeRelabelConfigs: description: "The list of remote write relabel configurations." @@ -4788,6 +4795,16 @@ spec: - "url" type: "object" type: "array" + remoteWriteReceiverMessageVersions: + description: "List of the protobuf message versions to accept when receiving the\nremote writes.\n\nIt requires Prometheus >= v2.54.0." + items: + enum: + - "V1.0" + - "V2.0" + type: "string" + minItems: 1 + type: "array" + x-kubernetes-list-type: "set" replicaExternalLabelName: description: "Name of Prometheus external label used to denote the replica name.\nThe external label will _not_ be added when the field is set to the\nempty string (`\"\"`).\n\nDefault: \"prometheus_replica\"" type: "string" diff --git a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/servicemonitors.yaml b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/servicemonitors.yaml index 7310df163..6b0fb6bb9 100644 --- a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/servicemonitors.yaml +++ b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1/servicemonitors.yaml @@ -689,6 +689,17 @@ spec: type: "string" type: "array" type: "object" + nativeHistogramBucketLimit: + description: "If there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0." + format: "int64" + type: "integer" + nativeHistogramMinBucketFactor: + anyOf: + - type: "integer" + - type: "string" + description: "If the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0." + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true podTargetLabels: description: "`podTargetLabels` defines the labels which are transferred from the\nassociated Kubernetes `Pod` object onto the ingested metrics." items: @@ -702,6 +713,9 @@ spec: description: "The scrape class to apply." minLength: 1 type: "string" + scrapeClassicHistograms: + description: "Whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0." + type: "boolean" scrapeProtocols: description: "`scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0." items: diff --git a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/prometheusagents.yaml b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/prometheusagents.yaml index 090443696..190156e96 100644 --- a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/prometheusagents.yaml +++ b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/prometheusagents.yaml @@ -3234,6 +3234,12 @@ spec: type: "string" description: "Custom HTTP headers to be sent along with each remote write request.\nBe aware that headers that are set by Prometheus itself can't be overwritten.\n\nIt requires Prometheus >= v2.25.0." type: "object" + messageVersion: + description: "The Remote Write message's version to use when writing to the endpoint.\n\n`Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0.\n`Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0.\n\nWhen `Version2.0` is selected, Prometheus will automatically be\nconfigured to append the metadata of scraped metrics to the WAL.\n\nBefore setting this field, consult with your remote storage provider\nwhat message version it supports.\n\nIt requires Prometheus >= v2.54.0." + enum: + - "V1.0" + - "V2.0" + type: "string" metadataConfig: description: "MetadataConfig configures the sending of series metadata to the remote storage." properties: @@ -3553,7 +3559,7 @@ spec: pattern: "^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$" type: "string" sendExemplars: - description: "Enables sending of exemplars over remote write. Note that\nexemplar-storage itself must be enabled using the `spec.enableFeature`\noption for exemplars to be scraped in the first place.\n\nIt requires Prometheus >= v2.27.0." + description: "Enables sending of exemplars over remote write. Note that\nexemplar-storage itself must be enabled using the `spec.enableFeatures`\noption for exemplars to be scraped in the first place.\n\nIt requires Prometheus >= v2.27.0." type: "boolean" sendNativeHistograms: description: "Enables sending of native histograms, also known as sparse histograms\nover remote write.\n\nIt requires Prometheus >= v2.40.0." @@ -3735,6 +3741,7 @@ spec: type: "object" url: description: "The URL of the endpoint to send samples to." + minLength: 1 type: "string" writeRelabelConfigs: description: "The list of remote write relabel configurations." @@ -3797,6 +3804,16 @@ spec: - "url" type: "object" type: "array" + remoteWriteReceiverMessageVersions: + description: "List of the protobuf message versions to accept when receiving the\nremote writes.\n\nIt requires Prometheus >= v2.54.0." + items: + enum: + - "V1.0" + - "V2.0" + type: "string" + minItems: 1 + type: "array" + x-kubernetes-list-type: "set" replicaExternalLabelName: description: "Name of Prometheus external label used to denote the replica name.\nThe external label will _not_ be added when the field is set to the\nempty string (`\"\"`).\n\nDefault: \"prometheus_replica\"" type: "string" diff --git a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/scrapeconfigs.yaml b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/scrapeconfigs.yaml index 05c8d8b4a..755d4e6e2 100644 --- a/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/scrapeconfigs.yaml +++ b/crd-catalog/prometheus-operator/prometheus-operator/monitoring.coreos.com/v1alpha1/scrapeconfigs.yaml @@ -6075,6 +6075,17 @@ spec: description: "MetricsPath HTTP path to scrape for metrics. If empty, Prometheus uses the default value (e.g. /metrics)." minLength: 1 type: "string" + nativeHistogramBucketLimit: + description: "If there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0." + format: "int64" + type: "integer" + nativeHistogramMinBucketFactor: + anyOf: + - type: "integer" + - type: "string" + description: "If the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0." + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true noProxy: description: "`noProxy` is a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0." type: "string" @@ -7893,6 +7904,9 @@ spec: description: "The scrape class to apply." minLength: 1 type: "string" + scrapeClassicHistograms: + description: "Whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0." + type: "boolean" scrapeInterval: description: "ScrapeInterval is the interval between consecutive scrapes." pattern: "^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$" diff --git a/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkapplications.yaml b/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkapplications.yaml index 158507feb..eacc448fd 100644 --- a/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkapplications.yaml +++ b/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkapplications.yaml @@ -611,13 +611,19 @@ spec: x-kubernetes-preserve-unknown-fields: true type: "object" logFileDirectory: - description: "The log file directory definition used by the Spark history server. Currently only S3 buckets are supported." + description: "The log file directory definition used by the Spark history server." nullable: true oneOf: - required: - "s3" + - required: + - "customLogDirectory" properties: + customLogDirectory: + description: "A custom log directory" + type: "string" s3: + description: "An S3 bucket storing the log events" properties: bucket: oneOf: diff --git a/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkhistoryservers.yaml b/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkhistoryservers.yaml index b83813ada..b4b0ee64c 100644 --- a/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkhistoryservers.yaml +++ b/crd-catalog/stackabletech/spark-k8s-operator/spark.stackable.tech/v1alpha1/sparkhistoryservers.yaml @@ -84,12 +84,18 @@ spec: type: "string" type: "object" logFileDirectory: - description: "The log file directory definition used by the Spark history server. Currently only S3 buckets are supported." + description: "The log file directory definition used by the Spark history server." oneOf: - required: - "s3" + - required: + - "customLogDirectory" properties: + customLogDirectory: + description: "A custom log directory" + type: "string" s3: + description: "An S3 bucket storing the log events" properties: bucket: oneOf: diff --git a/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachines.yaml b/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachines.yaml index 8e4f88fa3..eff3d3b8c 100644 --- a/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachines.yaml +++ b/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachines.yaml @@ -52,6 +52,21 @@ spec: spec: description: "TinkerbellMachineSpec defines the desired state of TinkerbellMachine." properties: + bootOptions: + description: "BootOptions are options that control the booting of Hardware." + properties: + bootMode: + description: "BootMode is the type of booting that will be done." + enum: + - "none" + - "netboot" + - "iso" + type: "string" + isoURL: + description: "ISOURL is the URL of the ISO that will be one-time booted.\nWhen this field is set, the controller will create a job.bmc.tinkerbell.org object\nfor getting the associated hardware into a CDROM booting state.\nA HardwareRef that contains a spec.BmcRef must be provided." + format: "url" + type: "string" + type: "object" hardwareAffinity: description: "HardwareAffinity allows filtering for hardware." properties: diff --git a/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachinetemplates.yaml b/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachinetemplates.yaml index a974346ea..1eecb48a6 100644 --- a/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachinetemplates.yaml +++ b/crd-catalog/tinkerbell/cluster-api-provider-tinkerbell/infrastructure.cluster.x-k8s.io/v1beta1/tinkerbellmachinetemplates.yaml @@ -37,6 +37,21 @@ spec: spec: description: "Spec is the specification of the desired behavior of the machine." properties: + bootOptions: + description: "BootOptions are options that control the booting of Hardware." + properties: + bootMode: + description: "BootMode is the type of booting that will be done." + enum: + - "none" + - "netboot" + - "iso" + type: "string" + isoURL: + description: "ISOURL is the URL of the ISO that will be one-time booted.\nWhen this field is set, the controller will create a job.bmc.tinkerbell.org object\nfor getting the associated hardware into a CDROM booting state.\nA HardwareRef that contains a spec.BmcRef must be provided." + format: "url" + type: "string" + type: "object" hardwareAffinity: description: "HardwareAffinity allows filtering for hardware." properties: diff --git a/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/machines.yaml b/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/machines.yaml index 5319cf296..1de2244e7 100644 --- a/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/machines.yaml +++ b/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/machines.yaml @@ -72,8 +72,6 @@ spec: port: description: "Port that intelAMT will use for calls." type: "integer" - required: - - "port" type: "object" ipmitool: description: "IPMITOOL contains the options to customize the Ipmitool provider." @@ -91,8 +89,12 @@ spec: port: description: "Port that redfish will use for calls." type: "integer" - required: - - "port" + systemName: + description: "SystemName is the name of the system to use for redfish calls.\nWith redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage." + type: "string" + useBasicAuth: + description: "UseBasicAuth for redfish calls. The default is false which means token based auth is used." + type: "boolean" type: "object" rpc: description: "RPC contains the options to customize the RPC provider." diff --git a/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/tasks.yaml b/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/tasks.yaml index 5afb357e7..8f8719bb9 100644 --- a/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/tasks.yaml +++ b/crd-catalog/tinkerbell/rufio/bmc.tinkerbell.org/v1alpha1/tasks.yaml @@ -74,8 +74,6 @@ spec: port: description: "Port that intelAMT will use for calls." type: "integer" - required: - - "port" type: "object" ipmitool: description: "IPMITOOL contains the options to customize the Ipmitool provider." @@ -93,8 +91,12 @@ spec: port: description: "Port that redfish will use for calls." type: "integer" - required: - - "port" + systemName: + description: "SystemName is the name of the system to use for redfish calls.\nWith redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage." + type: "string" + useBasicAuth: + description: "UseBasicAuth for redfish calls. The default is false which means token based auth is used." + type: "boolean" type: "object" rpc: description: "RPC contains the options to customize the RPC provider." diff --git a/crd-catalog/tinkerbell/tink/tinkerbell.org/v1alpha1/hardware.yaml b/crd-catalog/tinkerbell/tink/tinkerbell.org/v1alpha1/hardware.yaml index 3a57c0b29..580eaeec1 100644 --- a/crd-catalog/tinkerbell/tink/tinkerbell.org/v1alpha1/hardware.yaml +++ b/crd-catalog/tinkerbell/tink/tinkerbell.org/v1alpha1/hardware.yaml @@ -109,6 +109,10 @@ spec: pattern: "^(([0-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))(,[1-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))*)$" type: "string" type: "object" + disableDhcp: + default: false + description: "DisableDHCP disables DHCP for this interface." + type: "boolean" netboot: description: "Netboot configuration." properties: diff --git a/crd-catalog/volcano-sh/volcano/batch.volcano.sh/v1alpha1/jobs.yaml b/crd-catalog/volcano-sh/volcano/batch.volcano.sh/v1alpha1/jobs.yaml index 79f3b5813..7a7ec6e97 100644 --- a/crd-catalog/volcano-sh/volcano/batch.volcano.sh/v1alpha1/jobs.yaml +++ b/crd-catalog/volcano-sh/volcano/batch.volcano.sh/v1alpha1/jobs.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "jobs.batch.volcano.sh" spec: group: "batch.volcano.sh" @@ -849,6 +849,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -955,6 +956,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1036,6 +1038,8 @@ spec: properties: name: type: "string" + request: + type: "string" required: - "name" type: "object" @@ -1153,6 +1157,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1554,6 +1559,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1660,6 +1666,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1741,6 +1748,8 @@ spec: properties: name: type: "string" + request: + type: "string" required: - "name" type: "object" @@ -1858,6 +1867,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2273,6 +2283,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2379,6 +2390,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2460,6 +2472,8 @@ spec: properties: name: type: "string" + request: + type: "string" required: - "name" type: "object" @@ -2577,6 +2591,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2741,13 +2756,10 @@ spec: properties: name: type: "string" - source: - properties: - resourceClaimName: - type: "string" - resourceClaimTemplateName: - type: "string" - type: "object" + resourceClaimName: + type: "string" + resourceClaimTemplateName: + type: "string" required: - "name" type: "object" @@ -2823,6 +2835,8 @@ spec: type: "integer" type: "array" x-kubernetes-list-type: "atomic" + supplementalGroupsPolicy: + type: "string" sysctls: items: properties: @@ -2962,10 +2976,12 @@ spec: diskURI: type: "string" fsType: + default: "ext4" type: "string" kind: type: "string" readOnly: + default: false type: "boolean" required: - "diskName" @@ -3342,6 +3358,13 @@ spec: required: - "path" type: "object" + image: + properties: + pullPolicy: + type: "string" + reference: + type: "string" + type: "object" iscsi: properties: chapAuthDiscovery: @@ -3355,6 +3378,7 @@ spec: iqn: type: "string" iscsiInterface: + default: "default" type: "string" lun: format: "int32" @@ -3603,6 +3627,7 @@ spec: image: type: "string" keyring: + default: "/etc/ceph/keyring" type: "string" monitors: items: @@ -3610,6 +3635,7 @@ spec: type: "array" x-kubernetes-list-type: "atomic" pool: + default: "rbd" type: "string" readOnly: type: "boolean" @@ -3621,6 +3647,7 @@ spec: type: "object" x-kubernetes-map-type: "atomic" user: + default: "admin" type: "string" required: - "image" @@ -3629,6 +3656,7 @@ spec: scaleIO: properties: fsType: + default: "xfs" type: "string" gateway: type: "string" @@ -3646,6 +3674,7 @@ spec: sslEnabled: type: "boolean" storageMode: + default: "ThinProvisioned" type: "string" storagePool: type: "string" diff --git a/crd-catalog/volcano-sh/volcano/bus.volcano.sh/v1alpha1/commands.yaml b/crd-catalog/volcano-sh/volcano/bus.volcano.sh/v1alpha1/commands.yaml index 6e93cec49..5529be498 100644 --- a/crd-catalog/volcano-sh/volcano/bus.volcano.sh/v1alpha1/commands.yaml +++ b/crd-catalog/volcano-sh/volcano/bus.volcano.sh/v1alpha1/commands.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "commands.bus.volcano.sh" spec: group: "bus.volcano.sh" diff --git a/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobflows.yaml b/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobflows.yaml index ca013d66d..49099ba8e 100644 --- a/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobflows.yaml +++ b/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobflows.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "jobflows.flow.volcano.sh" spec: group: "flow.volcano.sh" diff --git a/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobtemplates.yaml b/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobtemplates.yaml index eac1e4022..0a8c17b1b 100644 --- a/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobtemplates.yaml +++ b/crd-catalog/volcano-sh/volcano/flow.volcano.sh/v1alpha1/jobtemplates.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "jobtemplates.flow.volcano.sh" spec: group: "flow.volcano.sh" @@ -831,6 +831,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -937,6 +938,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1018,6 +1020,8 @@ spec: properties: name: type: "string" + request: + type: "string" required: - "name" type: "object" @@ -1135,6 +1139,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1536,6 +1541,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1642,6 +1648,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -1723,6 +1730,8 @@ spec: properties: name: type: "string" + request: + type: "string" required: - "name" type: "object" @@ -1840,6 +1849,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2255,6 +2265,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2361,6 +2372,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2442,6 +2454,8 @@ spec: properties: name: type: "string" + request: + type: "string" required: - "name" type: "object" @@ -2559,6 +2573,7 @@ spec: format: "int32" type: "integer" service: + default: "" type: "string" required: - "port" @@ -2723,13 +2738,10 @@ spec: properties: name: type: "string" - source: - properties: - resourceClaimName: - type: "string" - resourceClaimTemplateName: - type: "string" - type: "object" + resourceClaimName: + type: "string" + resourceClaimTemplateName: + type: "string" required: - "name" type: "object" @@ -2805,6 +2817,8 @@ spec: type: "integer" type: "array" x-kubernetes-list-type: "atomic" + supplementalGroupsPolicy: + type: "string" sysctls: items: properties: @@ -2944,10 +2958,12 @@ spec: diskURI: type: "string" fsType: + default: "ext4" type: "string" kind: type: "string" readOnly: + default: false type: "boolean" required: - "diskName" @@ -3324,6 +3340,13 @@ spec: required: - "path" type: "object" + image: + properties: + pullPolicy: + type: "string" + reference: + type: "string" + type: "object" iscsi: properties: chapAuthDiscovery: @@ -3337,6 +3360,7 @@ spec: iqn: type: "string" iscsiInterface: + default: "default" type: "string" lun: format: "int32" @@ -3585,6 +3609,7 @@ spec: image: type: "string" keyring: + default: "/etc/ceph/keyring" type: "string" monitors: items: @@ -3592,6 +3617,7 @@ spec: type: "array" x-kubernetes-list-type: "atomic" pool: + default: "rbd" type: "string" readOnly: type: "boolean" @@ -3603,6 +3629,7 @@ spec: type: "object" x-kubernetes-map-type: "atomic" user: + default: "admin" type: "string" required: - "image" @@ -3611,6 +3638,7 @@ spec: scaleIO: properties: fsType: + default: "xfs" type: "string" gateway: type: "string" @@ -3628,6 +3656,7 @@ spec: sslEnabled: type: "boolean" storageMode: + default: "ThinProvisioned" type: "string" storagePool: type: "string" diff --git a/crd-catalog/volcano-sh/volcano/nodeinfo.volcano.sh/v1alpha1/numatopologies.yaml b/crd-catalog/volcano-sh/volcano/nodeinfo.volcano.sh/v1alpha1/numatopologies.yaml index f2a4e2307..757d1e8bd 100644 --- a/crd-catalog/volcano-sh/volcano/nodeinfo.volcano.sh/v1alpha1/numatopologies.yaml +++ b/crd-catalog/volcano-sh/volcano/nodeinfo.volcano.sh/v1alpha1/numatopologies.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "numatopologies.nodeinfo.volcano.sh" spec: group: "nodeinfo.volcano.sh" diff --git a/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/podgroups.yaml b/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/podgroups.yaml index 27997c283..3c18499ac 100644 --- a/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/podgroups.yaml +++ b/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/podgroups.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "podgroups.scheduling.volcano.sh" spec: group: "scheduling.volcano.sh" diff --git a/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/queues.yaml b/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/queues.yaml index 3cabf8920..2b48b9b6f 100644 --- a/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/queues.yaml +++ b/crd-catalog/volcano-sh/volcano/scheduling.volcano.sh/v1beta1/queues.yaml @@ -2,7 +2,7 @@ apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" metadata: annotations: - controller-gen.kubebuilder.io/version: "v0.15.0" + controller-gen.kubebuilder.io/version: "v0.16.4" name: "queues.scheduling.volcano.sh" spec: group: "scheduling.volcano.sh" diff --git a/kube-custom-resources-rs/src/acme_cert_manager_io/v1/challenges.rs b/kube-custom-resources-rs/src/acme_cert_manager_io/v1/challenges.rs index 4dbb243b4..808da0b10 100644 --- a/kube-custom-resources-rs/src/acme_cert_manager_io/v1/challenges.rs +++ b/kube-custom-resources-rs/src/acme_cert_manager_io/v1/challenges.rs @@ -300,6 +300,9 @@ pub struct ChallengeSolverDns01AzureDnsManagedIdentity { /// Cannot be used for Azure Managed Service Identity #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceID")] pub resource_id: Option, + /// tenant ID of the managed identity, can not be used at the same time as resourceID + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantID")] + pub tenant_id: Option, } /// Use the Google Cloud DNS API to manage DNS01 challenge records. diff --git a/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/agentpools.rs b/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/agentpools.rs index 66a7325ea..5be7f6dfd 100644 --- a/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/agentpools.rs +++ b/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/agentpools.rs @@ -44,6 +44,12 @@ pub struct AgentPoolSpec { /// Agent deployment settings #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct AgentPoolAgentDeployment { + /// Annotations that will be applied to the pod template in the deployment. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + /// Labels that will be applied to the pod template in the deployment. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, #[serde(default, skip_serializing_if = "Option::is_none")] pub replicas: Option, /// PodSpec is a description of a pod. diff --git a/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/workspaces.rs b/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/workspaces.rs index e1951ec5c..296f9034f 100644 --- a/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/workspaces.rs +++ b/kube-custom-resources-rs/src/app_terraform_io/v1alpha2/workspaces.rs @@ -621,6 +621,9 @@ pub struct WorkspaceStatus { /// Workspace Runs status. #[serde(default, skip_serializing_if = "Option::is_none", rename = "runStatus")] pub run_status: Option, + /// SSH Key ID. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sshKeyID")] + pub ssh_key_id: Option, /// Workspace Terraform version. #[serde(default, skip_serializing_if = "Option::is_none", rename = "terraformVersion")] pub terraform_version: Option, diff --git a/kube-custom-resources-rs/src/apps_emqx_io/v2beta1/emqxes.rs b/kube-custom-resources-rs/src/apps_emqx_io/v2beta1/emqxes.rs index 741b59a8e..a537360a2 100644 --- a/kube-custom-resources-rs/src/apps_emqx_io/v2beta1/emqxes.rs +++ b/kube-custom-resources-rs/src/apps_emqx_io/v2beta1/emqxes.rs @@ -5972,8 +5972,8 @@ pub struct EMQXStatus { pub core_nodes: Option>, #[serde(default, skip_serializing_if = "Option::is_none", rename = "coreNodesStatus")] pub core_nodes_status: Option, - #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodEvacuationsStatus")] - pub nod_evacuations_status: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeEvacuationsStatus")] + pub node_evacuations_status: Option>, #[serde(default, skip_serializing_if = "Option::is_none", rename = "replicantNodes")] pub replicant_nodes: Option>, #[serde(default, skip_serializing_if = "Option::is_none", rename = "replicantNodesStatus")] @@ -6023,7 +6023,7 @@ pub struct EMQXStatusCoreNodesStatus { } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct EMQXStatusNodEvacuationsStatus { +pub struct EMQXStatusNodeEvacuationsStatus { #[serde(default, skip_serializing_if = "Option::is_none")] pub connection_eviction_rate: Option, #[serde(default, skip_serializing_if = "Option::is_none")] @@ -6039,11 +6039,11 @@ pub struct EMQXStatusNodEvacuationsStatus { #[serde(default, skip_serializing_if = "Option::is_none")] pub state: Option, #[serde(default, skip_serializing_if = "Option::is_none")] - pub stats: Option, + pub stats: Option, } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct EMQXStatusNodEvacuationsStatusStats { +pub struct EMQXStatusNodeEvacuationsStatusStats { #[serde(default, skip_serializing_if = "Option::is_none")] pub current_connected: Option, #[serde(default, skip_serializing_if = "Option::is_none")] diff --git a/kube-custom-resources-rs/src/apps_kubeblocks_io/v1/clusterdefinitions.rs b/kube-custom-resources-rs/src/apps_kubeblocks_io/v1/clusterdefinitions.rs index 0664e63fe..bef924884 100644 --- a/kube-custom-resources-rs/src/apps_kubeblocks_io/v1/clusterdefinitions.rs +++ b/kube-custom-resources-rs/src/apps_kubeblocks_io/v1/clusterdefinitions.rs @@ -61,17 +61,28 @@ pub struct ClusterDefinitionTopologiesComponents { /// by specifying a name prefix or regular expression pattern. /// /// - /// Once set, this field cannot be updated. + /// Cannot be updated once set. #[serde(rename = "compDef")] pub comp_def: String, /// Defines the unique identifier of the component within the cluster topology. + /// + /// /// It follows IANA Service naming rules and is used as part of the Service's DNS name. /// The name must start with a lowercase letter, can contain lowercase letters, numbers, /// and hyphens, and must end with a lowercase letter or number. /// /// + /// If the @template field is set to true, the name will be used as a prefix to match the specific components dynamically created. + /// + /// /// Cannot be updated once set. pub name: String, + /// Specifies whether the topology component will be considered as a template for instantiating components upon user requests dynamically. + /// + /// + /// Cannot be updated once set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub template: Option, } /// Specifies the sequence in which components within a cluster topology are diff --git a/kube-custom-resources-rs/src/batch_volcano_sh/v1alpha1/jobs.rs b/kube-custom-resources-rs/src/batch_volcano_sh/v1alpha1/jobs.rs index c538b3720..617bdbfa1 100644 --- a/kube-custom-resources-rs/src/batch_volcano_sh/v1alpha1/jobs.rs +++ b/kube-custom-resources-rs/src/batch_volcano_sh/v1alpha1/jobs.rs @@ -904,6 +904,8 @@ pub struct JobTasksTemplateSpecContainersResources { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTasksTemplateSpecContainersResourcesClaims { pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] @@ -1489,6 +1491,8 @@ pub struct JobTasksTemplateSpecEphemeralContainersResources { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTasksTemplateSpecEphemeralContainersResourcesClaims { pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] @@ -2067,6 +2071,8 @@ pub struct JobTasksTemplateSpecInitContainersResources { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTasksTemplateSpecInitContainersResourcesClaims { pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] @@ -2246,12 +2252,6 @@ pub struct JobTasksTemplateSpecReadinessGates { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTasksTemplateSpecResourceClaims { pub name: String, - #[serde(default, skip_serializing_if = "Option::is_none")] - pub source: Option, -} - -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct JobTasksTemplateSpecResourceClaimsSource { #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceClaimName")] pub resource_claim_name: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceClaimTemplateName")] @@ -2283,6 +2283,8 @@ pub struct JobTasksTemplateSpecSecurityContext { pub seccomp_profile: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "supplementalGroups")] pub supplemental_groups: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "supplementalGroupsPolicy")] + pub supplemental_groups_policy: Option, #[serde(default, skip_serializing_if = "Option::is_none")] pub sysctls: Option>, #[serde(default, skip_serializing_if = "Option::is_none", rename = "windowsOptions")] @@ -2422,6 +2424,8 @@ pub struct JobTasksTemplateSpecVolumes { #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostPath")] pub host_path: Option, #[serde(default, skip_serializing_if = "Option::is_none")] + pub image: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] pub iscsi: Option, pub name: String, #[serde(default, skip_serializing_if = "Option::is_none")] @@ -2776,6 +2780,14 @@ pub struct JobTasksTemplateSpecVolumesHostPath { pub r#type: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct JobTasksTemplateSpecVolumesImage { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "pullPolicy")] + pub pull_policy: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub reference: Option, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTasksTemplateSpecVolumesIscsi { #[serde(default, skip_serializing_if = "Option::is_none", rename = "chapAuthDiscovery")] diff --git a/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/machines.rs b/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/machines.rs index dabc1543c..5904009aa 100644 --- a/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/machines.rs +++ b/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/machines.rs @@ -81,7 +81,8 @@ pub struct MachineConnectionProviderOptionsIntelAmt { #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostScheme")] pub host_scheme: Option, /// Port that intelAMT will use for calls. - pub port: i64, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, } /// IntelAMT contains the options to customize the IntelAMT provider. @@ -108,7 +109,15 @@ pub struct MachineConnectionProviderOptionsIpmitool { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct MachineConnectionProviderOptionsRedfish { /// Port that redfish will use for calls. - pub port: i64, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// SystemName is the name of the system to use for redfish calls. + /// With redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "systemName")] + pub system_name: Option, + /// UseBasicAuth for redfish calls. The default is false which means token based auth is used. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "useBasicAuth")] + pub use_basic_auth: Option, } /// RPC contains the options to customize the RPC provider. diff --git a/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/tasks.rs b/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/tasks.rs index 4d2428726..00c338ac1 100644 --- a/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/tasks.rs +++ b/kube-custom-resources-rs/src/bmc_tinkerbell_org/v1alpha1/tasks.rs @@ -84,7 +84,8 @@ pub struct TaskConnectionProviderOptionsIntelAmt { #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostScheme")] pub host_scheme: Option, /// Port that intelAMT will use for calls. - pub port: i64, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, } /// IntelAMT contains the options to customize the IntelAMT provider. @@ -111,7 +112,15 @@ pub struct TaskConnectionProviderOptionsIpmitool { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct TaskConnectionProviderOptionsRedfish { /// Port that redfish will use for calls. - pub port: i64, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// SystemName is the name of the system to use for redfish calls. + /// With redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "systemName")] + pub system_name: Option, + /// UseBasicAuth for redfish calls. The default is false which means token based auth is used. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "useBasicAuth")] + pub use_basic_auth: Option, } /// RPC contains the options to customize the RPC provider. diff --git a/kube-custom-resources-rs/src/cassandra_datastax_com/v1beta1/cassandradatacenters.rs b/kube-custom-resources-rs/src/cassandra_datastax_com/v1beta1/cassandradatacenters.rs index 75ab65b01..066a711f3 100644 --- a/kube-custom-resources-rs/src/cassandra_datastax_com/v1beta1/cassandradatacenters.rs +++ b/kube-custom-resources-rs/src/cassandra_datastax_com/v1beta1/cassandradatacenters.rs @@ -84,8 +84,7 @@ pub struct CassandraDatacenterSpec { /// that an update to the secret will trigger an update of the StatefulSets. #[serde(default, skip_serializing_if = "Option::is_none", rename = "configSecret")] pub config_secret: Option, - /// DatacenterName allows to override the name of the Cassandra datacenter. Kubernetes objects will be named after a sanitized version of it if set, and if not metadata.name. In Cassandra the DC name will be overridden by this value. - /// It may generate some confusion as objects created for the DC will have a different name than the CasandraDatacenter object itself. + /// DatacenterName allows to override the name of the Cassandra datacenter. In Cassandra the DC name will be overridden by this value. /// This setting can create conflicts if multiple DCs coexist in the same namespace if metadata.name for a DC with no override is set to the same value as the override name of another DC. /// Use cautiously. #[serde(default, skip_serializing_if = "Option::is_none", rename = "datacenterName")] @@ -9801,6 +9800,8 @@ pub struct CassandraDatacenterStatus { /// with the management API #[serde(default, skip_serializing_if = "Option::is_none", rename = "lastServerNodeStarted")] pub last_server_node_started: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "metadataVersion")] + pub metadata_version: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeReplacements")] pub node_replacements: Option>, #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeStatuses")] diff --git a/kube-custom-resources-rs/src/cert_manager_io/v1/clusterissuers.rs b/kube-custom-resources-rs/src/cert_manager_io/v1/clusterissuers.rs index ce1a29c8a..7242c81c8 100644 --- a/kube-custom-resources-rs/src/cert_manager_io/v1/clusterissuers.rs +++ b/kube-custom-resources-rs/src/cert_manager_io/v1/clusterissuers.rs @@ -423,6 +423,9 @@ pub struct ClusterIssuerAcmeSolversDns01AzureDnsManagedIdentity { /// Cannot be used for Azure Managed Service Identity #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceID")] pub resource_id: Option, + /// tenant ID of the managed identity, can not be used at the same time as resourceID + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantID")] + pub tenant_id: Option, } /// Use the Google Cloud DNS API to manage DNS01 challenge records. diff --git a/kube-custom-resources-rs/src/cert_manager_io/v1/issuers.rs b/kube-custom-resources-rs/src/cert_manager_io/v1/issuers.rs index fdeb49aa6..9c33f0837 100644 --- a/kube-custom-resources-rs/src/cert_manager_io/v1/issuers.rs +++ b/kube-custom-resources-rs/src/cert_manager_io/v1/issuers.rs @@ -424,6 +424,9 @@ pub struct IssuerAcmeSolversDns01AzureDnsManagedIdentity { /// Cannot be used for Azure Managed Service Identity #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceID")] pub resource_id: Option, + /// tenant ID of the managed identity, can not be used at the same time as resourceID + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantID")] + pub tenant_id: Option, } /// Use the Google Cloud DNS API to manage DNS01 challenge records. diff --git a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/clusters.rs b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/clusters.rs index 856ea89a7..95e935a6e 100644 --- a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/clusters.rs +++ b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/clusters.rs @@ -866,11 +866,15 @@ pub struct ClusterStatus { pub failure_domains: Option>, /// FailureMessage indicates that there is a fatal problem reconciling the /// state, and will be set to a descriptive error message. + /// + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureMessage")] pub failure_message: Option, /// FailureReason indicates that there is a fatal problem reconciling the /// state, and will be set to a token value suitable for /// programmatic interpretation. + /// + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureReason")] pub failure_reason: Option, /// InfrastructureReady is the state of the infrastructure provider. diff --git a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinepools.rs b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinepools.rs index 80214485e..4b340e05a 100644 --- a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinepools.rs +++ b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinepools.rs @@ -256,10 +256,14 @@ pub struct MachinePoolStatus { pub conditions: Option>, /// FailureMessage indicates that there is a problem reconciling the state, /// and will be set to a descriptive error message. + /// + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureMessage")] pub failure_message: Option, /// FailureReason indicates that there is a problem reconciling the state, and /// will be set to a token value suitable for programmatic interpretation. + /// + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureReason")] pub failure_reason: Option, /// InfrastructureReady is the state of the infrastructure provider. diff --git a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machines.rs b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machines.rs index 1edc38cdb..0bac93fb8 100644 --- a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machines.rs +++ b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machines.rs @@ -219,6 +219,8 @@ pub struct MachineStatus { /// Any transient errors that occur during the reconciliation of Machines /// can be added as events to the Machine object and/or logged in the /// controller's output. + /// + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureMessage")] pub failure_message: Option, /// FailureReason will be set in the event that there is a terminal problem @@ -237,6 +239,8 @@ pub struct MachineStatus { /// Any transient errors that occur during the reconciliation of Machines /// can be added as events to the Machine object and/or logged in the /// controller's output. + /// + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureReason")] pub failure_reason: Option, /// InfrastructureReady is the state of the infrastructure provider. diff --git a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinesets.rs b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinesets.rs index 1404ff94f..a0f3099f7 100644 --- a/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinesets.rs +++ b/kube-custom-resources-rs/src/cluster_x_k8s_io/v1beta1/machinesets.rs @@ -312,6 +312,7 @@ pub struct MachineSetStatus { /// Conditions defines current service state of the MachineSet. #[serde(default, skip_serializing_if = "Option::is_none")] pub conditions: Option>, + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureMessage")] pub failure_message: Option, /// In the event that there is a terminal problem reconciling the @@ -332,6 +333,8 @@ pub struct MachineSetStatus { /// Any transient errors that occur during the reconciliation of Machines /// can be added as events to the MachineSet object and/or logged in the /// controller's output. + /// + /// Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details. #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureReason")] pub failure_reason: Option, /// The number of replicas that have labels matching the labels of the machine template of the MachineSet. diff --git a/kube-custom-resources-rs/src/devices_kubeedge_io/v1beta1/devices.rs b/kube-custom-resources-rs/src/devices_kubeedge_io/v1beta1/devices.rs index 1bbb5bd09..0b542e844 100644 --- a/kube-custom-resources-rs/src/devices_kubeedge_io/v1beta1/devices.rs +++ b/kube-custom-resources-rs/src/devices_kubeedge_io/v1beta1/devices.rs @@ -105,6 +105,9 @@ pub struct DevicePropertiesPushMethod { /// MQTT Push method configuration for mqtt #[serde(default, skip_serializing_if = "Option::is_none")] pub mqtt: Option, + /// OTEL Push Method configuration for otel + #[serde(default, skip_serializing_if = "Option::is_none")] + pub otel: Option, } /// DBMethod represents the method used to push data to database, please ensure that the mapper can access the destination address. @@ -251,6 +254,14 @@ pub struct DevicePropertiesPushMethodMqtt { pub topic: Option, } +/// OTEL Push Method configuration for otel +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct DevicePropertiesPushMethodOtel { + /// the target endpoint URL the Exporter will connect to, like https://localhost:4318/v1/metrics + #[serde(default, skip_serializing_if = "Option::is_none", rename = "endpointURL")] + pub endpoint_url: Option, +} + /// Visitors are intended to be consumed by device mappers which connect to devices and collect data / perform actions on the device. Required: Protocol relevant config details about the how to access the device property. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct DevicePropertiesVisitors { @@ -279,6 +290,12 @@ pub struct DeviceStatus { /// Optional: The last time the device was online. #[serde(default, skip_serializing_if = "Option::is_none", rename = "lastOnlineTime")] pub last_online_time: Option, + /// Optional: Define how frequent mapper will report the device status. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "reportCycle")] + pub report_cycle: Option, + /// Optional: whether be reported to the cloud + #[serde(default, skip_serializing_if = "Option::is_none", rename = "reportToCloud")] + pub report_to_cloud: Option, /// Optional: The state of the device. #[serde(default, skip_serializing_if = "Option::is_none")] pub state: Option, diff --git a/kube-custom-resources-rs/src/elbv2_k8s_aws/v1alpha1/targetgroupbindings.rs b/kube-custom-resources-rs/src/elbv2_k8s_aws/v1alpha1/targetgroupbindings.rs index 922b21946..7168117b0 100644 --- a/kube-custom-resources-rs/src/elbv2_k8s_aws/v1alpha1/targetgroupbindings.rs +++ b/kube-custom-resources-rs/src/elbv2_k8s_aws/v1alpha1/targetgroupbindings.rs @@ -19,6 +19,9 @@ use self::prelude::*; #[kube(derive="Default")] #[kube(derive="PartialEq")] pub struct TargetGroupBindingSpec { + /// MultiClusterTargetGroup Denotes if the TargetGroup is shared among multiple clusters + #[serde(default, skip_serializing_if = "Option::is_none", rename = "multiClusterTargetGroup")] + pub multi_cluster_target_group: Option, /// networking provides the networking setup for ELBV2 LoadBalancer to access targets in TargetGroup. #[serde(default, skip_serializing_if = "Option::is_none")] pub networking: Option, diff --git a/kube-custom-resources-rs/src/elbv2_k8s_aws/v1beta1/targetgroupbindings.rs b/kube-custom-resources-rs/src/elbv2_k8s_aws/v1beta1/targetgroupbindings.rs index 987554b52..cc566351f 100644 --- a/kube-custom-resources-rs/src/elbv2_k8s_aws/v1beta1/targetgroupbindings.rs +++ b/kube-custom-resources-rs/src/elbv2_k8s_aws/v1beta1/targetgroupbindings.rs @@ -23,6 +23,9 @@ pub struct TargetGroupBindingSpec { /// ipAddressType specifies whether the target group is of type IPv4 or IPv6. If unspecified, it will be automatically inferred. #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipAddressType")] pub ip_address_type: Option, + /// MultiClusterTargetGroup Denotes if the TargetGroup is shared among multiple clusters + #[serde(default, skip_serializing_if = "Option::is_none", rename = "multiClusterTargetGroup")] + pub multi_cluster_target_group: Option, /// networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup. #[serde(default, skip_serializing_if = "Option::is_none")] pub networking: Option, diff --git a/kube-custom-resources-rs/src/flow_volcano_sh/v1alpha1/jobtemplates.rs b/kube-custom-resources-rs/src/flow_volcano_sh/v1alpha1/jobtemplates.rs index 4c7e68b5a..507947aac 100644 --- a/kube-custom-resources-rs/src/flow_volcano_sh/v1alpha1/jobtemplates.rs +++ b/kube-custom-resources-rs/src/flow_volcano_sh/v1alpha1/jobtemplates.rs @@ -904,6 +904,8 @@ pub struct JobTemplateTasksTemplateSpecContainersResources { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTemplateTasksTemplateSpecContainersResourcesClaims { pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] @@ -1489,6 +1491,8 @@ pub struct JobTemplateTasksTemplateSpecEphemeralContainersResources { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTemplateTasksTemplateSpecEphemeralContainersResourcesClaims { pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] @@ -2067,6 +2071,8 @@ pub struct JobTemplateTasksTemplateSpecInitContainersResources { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTemplateTasksTemplateSpecInitContainersResourcesClaims { pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] @@ -2246,12 +2252,6 @@ pub struct JobTemplateTasksTemplateSpecReadinessGates { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTemplateTasksTemplateSpecResourceClaims { pub name: String, - #[serde(default, skip_serializing_if = "Option::is_none")] - pub source: Option, -} - -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct JobTemplateTasksTemplateSpecResourceClaimsSource { #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceClaimName")] pub resource_claim_name: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceClaimTemplateName")] @@ -2283,6 +2283,8 @@ pub struct JobTemplateTasksTemplateSpecSecurityContext { pub seccomp_profile: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "supplementalGroups")] pub supplemental_groups: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "supplementalGroupsPolicy")] + pub supplemental_groups_policy: Option, #[serde(default, skip_serializing_if = "Option::is_none")] pub sysctls: Option>, #[serde(default, skip_serializing_if = "Option::is_none", rename = "windowsOptions")] @@ -2422,6 +2424,8 @@ pub struct JobTemplateTasksTemplateSpecVolumes { #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostPath")] pub host_path: Option, #[serde(default, skip_serializing_if = "Option::is_none")] + pub image: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] pub iscsi: Option, pub name: String, #[serde(default, skip_serializing_if = "Option::is_none")] @@ -2776,6 +2780,14 @@ pub struct JobTemplateTasksTemplateSpecVolumesHostPath { pub r#type: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct JobTemplateTasksTemplateSpecVolumesImage { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "pullPolicy")] + pub pull_policy: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub reference: Option, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct JobTemplateTasksTemplateSpecVolumesIscsi { #[serde(default, skip_serializing_if = "Option::is_none", rename = "chapAuthDiscovery")] diff --git a/kube-custom-resources-rs/src/grafana_integreatly_org/v1beta1/grafanadashboards.rs b/kube-custom-resources-rs/src/grafana_integreatly_org/v1beta1/grafanadashboards.rs index 7a95639f5..eafbc75ff 100644 --- a/kube-custom-resources-rs/src/grafana_integreatly_org/v1beta1/grafanadashboards.rs +++ b/kube-custom-resources-rs/src/grafana_integreatly_org/v1beta1/grafanadashboards.rs @@ -71,6 +71,9 @@ pub struct GrafanaDashboardSpec { /// how often the dashboard is refreshed, defaults to 5m if not set #[serde(default, skip_serializing_if = "Option::is_none", rename = "resyncPeriod")] pub resync_period: Option, + /// Manually specify the uid for the dashboard, overwrites uids already present in the json model + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uid: Option, /// dashboard url #[serde(default, skip_serializing_if = "Option::is_none")] pub url: Option, @@ -151,7 +154,7 @@ pub struct GrafanaDashboardEnvFromSecretKeyRef { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct GrafanaDashboardEnvs { pub name: String, - /// Inline evn value + /// Inline env value #[serde(default, skip_serializing_if = "Option::is_none")] pub value: Option, /// Reference on value source, might be the reference on a secret or config map diff --git a/kube-custom-resources-rs/src/hive_openshift_io/v1/clusterdeploymentcustomizations.rs b/kube-custom-resources-rs/src/hive_openshift_io/v1/clusterdeploymentcustomizations.rs index 945ac1aa8..efb0910bf 100644 --- a/kube-custom-resources-rs/src/hive_openshift_io/v1/clusterdeploymentcustomizations.rs +++ b/kube-custom-resources-rs/src/hive_openshift_io/v1/clusterdeploymentcustomizations.rs @@ -24,18 +24,41 @@ pub struct ClusterDeploymentCustomizationSpec { pub install_config_patches: Option>, } -/// PatchEntity represent a json patch (RFC 6902) to be applied to the install-config -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +/// PatchEntity represents a json patch (RFC 6902) to be applied +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] pub struct ClusterDeploymentCustomizationInstallConfigPatches { /// From is the json path to copy or move the value from #[serde(default, skip_serializing_if = "Option::is_none")] pub from: Option, - /// Op is the operation to perform: add, remove, replace, move, copy, test - pub op: String, + /// Op is the operation to perform. + pub op: ClusterDeploymentCustomizationInstallConfigPatchesOp, /// Path is the json path to the value to be modified pub path: String, - /// Value is the value to be used in the operation - pub value: String, + /// Value is the *string* value to be used in the operation. For more complex values, use + /// ValueJSON. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, + /// ValueJSON is a string representing a JSON object to be used in the operation. As such, + /// internal quotes must be escaped. If nonempty, Value is ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "valueJSON")] + pub value_json: Option, +} + +/// PatchEntity represents a json patch (RFC 6902) to be applied +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ClusterDeploymentCustomizationInstallConfigPatchesOp { + #[serde(rename = "add")] + Add, + #[serde(rename = "remove")] + Remove, + #[serde(rename = "replace")] + Replace, + #[serde(rename = "move")] + Move, + #[serde(rename = "copy")] + Copy, + #[serde(rename = "test")] + Test, } /// ClusterDeploymentCustomizationStatus defines the observed state of ClusterDeploymentCustomization. diff --git a/kube-custom-resources-rs/src/hive_openshift_io/v1/hiveconfigs.rs b/kube-custom-resources-rs/src/hive_openshift_io/v1/hiveconfigs.rs index 4e842735d..adc94340c 100644 --- a/kube-custom-resources-rs/src/hive_openshift_io/v1/hiveconfigs.rs +++ b/kube-custom-resources-rs/src/hive_openshift_io/v1/hiveconfigs.rs @@ -47,6 +47,11 @@ pub struct HiveConfigSpec { /// ClusterVersionPollInterval is a string duration indicating how much time must pass before checking /// whether we need to update the hive.openshift.io/version* labels on ClusterDeployment. If zero or unset, /// we'll only reconcile when the ClusterDeployment changes. + /// This is a Duration value; see https://pkg.go.dev/time#ParseDuration for accepted formats. + /// Note: due to discrepancies in validation vs parsing, we use a Pattern instead of `Format=duration`. See + /// https://bugzilla.redhat.com/show_bug.cgi?id=2050332 + /// https://github.com/kubernetes/apimachinery/issues/131 + /// https://github.com/kubernetes/apiextensions-apiserver/issues/56 #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterVersionPollInterval")] pub cluster_version_poll_interval: Option, /// ControllersConfig is used to configure different hive controllers @@ -99,6 +104,11 @@ pub struct HiveConfigSpec { /// remote resources related to MachinePools need to be reapplied. Set to zero to disable polling -- we'll /// only reconcile when hub objects change. /// The default interval is 30m. + /// This is a Duration value; see https://pkg.go.dev/time#ParseDuration for accepted formats. + /// Note: due to discrepancies in validation vs parsing, we use a Pattern instead of `Format=duration`. See + /// https://bugzilla.redhat.com/show_bug.cgi?id=2050332 + /// https://github.com/kubernetes/apimachinery/issues/131 + /// https://github.com/kubernetes/apiextensions-apiserver/issues/56 #[serde(default, skip_serializing_if = "Option::is_none", rename = "machinePoolPollInterval")] pub machine_pool_poll_interval: Option, /// MaintenanceMode can be set to true to disable the hive controllers in situations where we need to ensure @@ -158,6 +168,11 @@ pub struct HiveConfigSpec { /// SyncSetReapplyInterval is a string duration indicating how much time must pass before SyncSet resources /// will be reapplied. /// The default reapply interval is two hours. + /// This is a Duration value; see https://pkg.go.dev/time#ParseDuration for accepted formats. + /// Note: due to discrepancies in validation vs parsing, we use a Pattern instead of `Format=duration`. See + /// https://bugzilla.redhat.com/show_bug.cgi?id=2050332 + /// https://github.com/kubernetes/apimachinery/issues/131 + /// https://github.com/kubernetes/apiextensions-apiserver/issues/56 #[serde(default, skip_serializing_if = "Option::is_none", rename = "syncSetReapplyInterval")] pub sync_set_reapply_interval: Option, /// TargetNamespace is the namespace where the core Hive components should be run. Defaults to "hive". Will be diff --git a/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachines.rs b/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachines.rs index fe80ac363..be70eab79 100644 --- a/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachines.rs +++ b/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachines.rs @@ -19,6 +19,9 @@ use self::prelude::*; #[kube(derive="Default")] #[kube(derive="PartialEq")] pub struct TinkerbellMachineSpec { + /// BootOptions are options that control the booting of Hardware. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bootOptions")] + pub boot_options: Option, /// HardwareAffinity allows filtering for hardware. #[serde(default, skip_serializing_if = "Option::is_none", rename = "hardwareAffinity")] pub hardware_affinity: Option, @@ -60,6 +63,31 @@ pub struct TinkerbellMachineSpec { pub template_override: Option, } +/// BootOptions are options that control the booting of Hardware. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct TinkerbellMachineBootOptions { + /// BootMode is the type of booting that will be done. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bootMode")] + pub boot_mode: Option, + /// ISOURL is the URL of the ISO that will be one-time booted. + /// When this field is set, the controller will create a job.bmc.tinkerbell.org object + /// for getting the associated hardware into a CDROM booting state. + /// A HardwareRef that contains a spec.BmcRef must be provided. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "isoURL")] + pub iso_url: Option, +} + +/// BootOptions are options that control the booting of Hardware. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum TinkerbellMachineBootOptionsBootMode { + #[serde(rename = "none")] + None, + #[serde(rename = "netboot")] + Netboot, + #[serde(rename = "iso")] + Iso, +} + /// HardwareAffinity allows filtering for hardware. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct TinkerbellMachineHardwareAffinity { diff --git a/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachinetemplates.rs b/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachinetemplates.rs index 6f58397d4..0dde3a370 100644 --- a/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachinetemplates.rs +++ b/kube-custom-resources-rs/src/infrastructure_cluster_x_k8s_io/v1beta1/tinkerbellmachinetemplates.rs @@ -32,6 +32,9 @@ pub struct TinkerbellMachineTemplateTemplate { /// Spec is the specification of the desired behavior of the machine. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct TinkerbellMachineTemplateTemplateSpec { + /// BootOptions are options that control the booting of Hardware. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bootOptions")] + pub boot_options: Option, /// HardwareAffinity allows filtering for hardware. #[serde(default, skip_serializing_if = "Option::is_none", rename = "hardwareAffinity")] pub hardware_affinity: Option, @@ -73,6 +76,31 @@ pub struct TinkerbellMachineTemplateTemplateSpec { pub template_override: Option, } +/// BootOptions are options that control the booting of Hardware. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct TinkerbellMachineTemplateTemplateSpecBootOptions { + /// BootMode is the type of booting that will be done. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bootMode")] + pub boot_mode: Option, + /// ISOURL is the URL of the ISO that will be one-time booted. + /// When this field is set, the controller will create a job.bmc.tinkerbell.org object + /// for getting the associated hardware into a CDROM booting state. + /// A HardwareRef that contains a spec.BmcRef must be provided. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "isoURL")] + pub iso_url: Option, +} + +/// BootOptions are options that control the booting of Hardware. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum TinkerbellMachineTemplateTemplateSpecBootOptionsBootMode { + #[serde(rename = "none")] + None, + #[serde(rename = "netboot")] + Netboot, + #[serde(rename = "iso")] + Iso, +} + /// HardwareAffinity allows filtering for hardware. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct TinkerbellMachineTemplateTemplateSpecHardwareAffinity { diff --git a/kube-custom-resources-rs/src/jobset_x_k8s_io/v1alpha2/jobsets.rs b/kube-custom-resources-rs/src/jobset_x_k8s_io/v1alpha2/jobsets.rs index b26303bfa..6a6afc9e9 100644 --- a/kube-custom-resources-rs/src/jobset_x_k8s_io/v1alpha2/jobsets.rs +++ b/kube-custom-resources-rs/src/jobset_x_k8s_io/v1alpha2/jobsets.rs @@ -106,6 +106,10 @@ pub struct JobSetFailurePolicy { /// A restart is achieved by recreating all active child jobs. #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRestarts")] pub max_restarts: Option, + /// RestartStrategy defines the strategy to use when restarting the JobSet. + /// Defaults to Recreate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "restartStrategy")] + pub restart_strategy: Option, /// List of failure policy rules for this JobSet. /// For a given Job failure, the rules will be evaluated in order, /// and only the first matching rule will be executed. @@ -114,6 +118,16 @@ pub struct JobSetFailurePolicy { pub rules: Option>, } +/// FailurePolicy, if set, configures when to declare the JobSet as +/// failed. +/// The JobSet is always declared failed if any job in the set +/// finished with status failed. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum JobSetFailurePolicyRestartStrategy { + Recreate, + BlockingRecreate, +} + /// FailurePolicyRule defines a FailurePolicyAction to be executed if a child job /// fails due to a reason listed in OnJobFailureReasons. #[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] diff --git a/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/backups.rs b/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/backups.rs index aeb776ba0..9b6376b18 100644 --- a/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/backups.rs +++ b/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/backups.rs @@ -87,7 +87,12 @@ pub struct BackupSpec { /// ServiceAccountName is the name of the ServiceAccount to be used by the Pods. #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountName")] pub service_account_name: Option, - /// Storage to be used in the Backup. + /// StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. + /// It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Backup Job is scheduled. + /// The staging area gets cleaned up after each backup is completed, consider this for sizing it appropriately. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "stagingStorage")] + pub staging_storage: Option, + /// Storage defines the final storage for backups. pub storage: BackupStorage, /// SuccessfulJobsHistoryLimit defines the maximum number of successful Jobs to be displayed. #[serde(default, skip_serializing_if = "Option::is_none", rename = "successfulJobsHistoryLimit")] @@ -474,7 +479,151 @@ pub struct BackupSecurityContextCapabilities { pub drop: Option>, } -/// Storage to be used in the Backup. +/// StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. +/// It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Backup Job is scheduled. +/// The staging area gets cleaned up after each backup is completed, consider this for sizing it appropriately. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStorage { + /// PersistentVolumeClaim is a Kubernetes PVC specification. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] + pub persistent_volume_claim: Option, + /// Volume is a Kubernetes volume specification. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub volume: Option, +} + +/// PersistentVolumeClaim is a Kubernetes PVC specification. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStoragePersistentVolumeClaim { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + /// VolumeResourceRequirements describes the storage resource requirements for a volume. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + /// A label selector is a label query over a set of resources. The result of matchLabels and + /// matchExpressions are ANDed. An empty label selector matches all objects. A null + /// label selector matches no objects. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, +} + +/// VolumeResourceRequirements describes the storage resource requirements for a volume. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStoragePersistentVolumeClaimResources { + /// Limits describes the maximum amount of compute resources allowed. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + /// Requests describes the minimum amount of compute resources required. + /// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + /// otherwise to an implementation-defined value. Requests cannot exceed Limits. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +/// A label selector is a label query over a set of resources. The result of matchLabels and +/// matchExpressions are ANDed. An empty label selector matches all objects. A null +/// label selector matches no objects. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStoragePersistentVolumeClaimSelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStoragePersistentVolumeClaimSelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Volume is a Kubernetes volume specification. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStorageVolume { + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub csi: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "emptyDir")] + pub empty_dir: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub nfs: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] + pub persistent_volume_claim: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStorageVolumeCsi { + pub driver: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodePublishSecretRef")] + pub node_publish_secret_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributes")] + pub volume_attributes: Option>, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStorageVolumeCsiNodePublishSecretRef { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStorageVolumeEmptyDir { + /// StorageMedium defines ways that storage can be allocated to a volume. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub medium: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sizeLimit")] + pub size_limit: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStorageVolumeNfs { + pub path: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + pub server: String, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct BackupStagingStorageVolumePersistentVolumeClaim { + #[serde(rename = "claimName")] + pub claim_name: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, +} + +/// Storage defines the final storage for backups. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct BackupStorage { /// PersistentVolumeClaim is a Kubernetes PVC specification. @@ -627,9 +776,6 @@ pub struct BackupStorageS3TlsCaSecretKeyRef { /// Volume is a Kubernetes volume specification. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct BackupStorageVolume { - /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "configMap")] - pub config_map: Option, /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. #[serde(default, skip_serializing_if = "Option::is_none")] pub csi: Option, @@ -642,18 +788,6 @@ pub struct BackupStorageVolume { /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] pub persistent_volume_claim: Option, - /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub secret: Option, -} - -/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core. -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct BackupStorageVolumeConfigMap { - #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] - pub default_mode: Option, - #[serde(default, skip_serializing_if = "Option::is_none")] - pub name: Option, } /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. @@ -706,15 +840,6 @@ pub struct BackupStorageVolumePersistentVolumeClaim { pub read_only: Option, } -/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core. -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct BackupStorageVolumeSecret { - #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] - pub default_mode: Option, - #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretName")] - pub secret_name: Option, -} - /// The pod this Toleration is attached to tolerates any taint that matches /// the triple using the matching operator . #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] diff --git a/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/mariadbs.rs b/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/mariadbs.rs index 3732f5b82..3d25b6259 100644 --- a/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/mariadbs.rs +++ b/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/mariadbs.rs @@ -394,6 +394,10 @@ pub struct MariaDBBootstrapFrom { /// S3 defines the configuration to restore backups from a S3 compatible storage. It has priority over Volume. #[serde(default, skip_serializing_if = "Option::is_none")] pub s3: Option, + /// StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. + /// It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Restore Job is scheduled. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "stagingStorage")] + pub staging_storage: Option, /// TargetRecoveryTime is a RFC3339 (1970-01-01T00:00:00Z) date and time that defines the point in time recovery objective. /// It is used to determine the closest restoration source in time. #[serde(default, skip_serializing_if = "Option::is_none", rename = "targetRecoveryTime")] @@ -699,12 +703,152 @@ pub struct MariaDBBootstrapFromS3TlsCaSecretKeyRef { pub name: Option, } +/// StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. +/// It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Restore Job is scheduled. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStorage { + /// PersistentVolumeClaim is a Kubernetes PVC specification. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] + pub persistent_volume_claim: Option, + /// Volume is a Kubernetes volume specification. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub volume: Option, +} + +/// PersistentVolumeClaim is a Kubernetes PVC specification. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStoragePersistentVolumeClaim { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + /// VolumeResourceRequirements describes the storage resource requirements for a volume. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + /// A label selector is a label query over a set of resources. The result of matchLabels and + /// matchExpressions are ANDed. An empty label selector matches all objects. A null + /// label selector matches no objects. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, +} + +/// VolumeResourceRequirements describes the storage resource requirements for a volume. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStoragePersistentVolumeClaimResources { + /// Limits describes the maximum amount of compute resources allowed. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + /// Requests describes the minimum amount of compute resources required. + /// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + /// otherwise to an implementation-defined value. Requests cannot exceed Limits. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +/// A label selector is a label query over a set of resources. The result of matchLabels and +/// matchExpressions are ANDed. An empty label selector matches all objects. A null +/// label selector matches no objects. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStoragePersistentVolumeClaimSelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStoragePersistentVolumeClaimSelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Volume is a Kubernetes volume specification. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStorageVolume { + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub csi: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "emptyDir")] + pub empty_dir: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub nfs: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] + pub persistent_volume_claim: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStorageVolumeCsi { + pub driver: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodePublishSecretRef")] + pub node_publish_secret_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributes")] + pub volume_attributes: Option>, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStorageVolumeCsiNodePublishSecretRef { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStorageVolumeEmptyDir { + /// StorageMedium defines ways that storage can be allocated to a volume. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub medium: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sizeLimit")] + pub size_limit: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStorageVolumeNfs { + pub path: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + pub server: String, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct MariaDBBootstrapFromStagingStorageVolumePersistentVolumeClaim { + #[serde(rename = "claimName")] + pub claim_name: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, +} + /// Volume is a Kubernetes Volume object that contains a backup. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct MariaDBBootstrapFromVolume { - /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "configMap")] - pub config_map: Option, /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. #[serde(default, skip_serializing_if = "Option::is_none")] pub csi: Option, @@ -717,18 +861,6 @@ pub struct MariaDBBootstrapFromVolume { /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] pub persistent_volume_claim: Option, - /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub secret: Option, -} - -/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core. -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct MariaDBBootstrapFromVolumeConfigMap { - #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] - pub default_mode: Option, - #[serde(default, skip_serializing_if = "Option::is_none")] - pub name: Option, } /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. @@ -781,15 +913,6 @@ pub struct MariaDBBootstrapFromVolumePersistentVolumeClaim { pub read_only: Option, } -/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core. -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct MariaDBBootstrapFromVolumeSecret { - #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] - pub default_mode: Option, - #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretName")] - pub secret_name: Option, -} - /// Connection defines a template to configure the general Connection object. /// This Connection provides the initial User access to the initial Database. /// It will make use of the Service to route network traffic to all Pods. diff --git a/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/restores.rs b/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/restores.rs index f29f08924..415be7116 100644 --- a/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/restores.rs +++ b/kube-custom-resources-rs/src/k8s_mariadb_com/v1alpha1/restores.rs @@ -76,6 +76,10 @@ pub struct RestoreSpec { /// ServiceAccountName is the name of the ServiceAccount to be used by the Pods. #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountName")] pub service_account_name: Option, + /// StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. + /// It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Restore Job is scheduled. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "stagingStorage")] + pub staging_storage: Option, /// TargetRecoveryTime is a RFC3339 (1970-01-01T00:00:00Z) date and time that defines the point in time recovery objective. /// It is used to determine the closest restoration source in time. #[serde(default, skip_serializing_if = "Option::is_none", rename = "targetRecoveryTime")] @@ -520,6 +524,149 @@ pub struct RestoreSecurityContextCapabilities { pub drop: Option>, } +/// StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. +/// It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Restore Job is scheduled. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStorage { + /// PersistentVolumeClaim is a Kubernetes PVC specification. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] + pub persistent_volume_claim: Option, + /// Volume is a Kubernetes volume specification. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub volume: Option, +} + +/// PersistentVolumeClaim is a Kubernetes PVC specification. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStoragePersistentVolumeClaim { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + /// VolumeResourceRequirements describes the storage resource requirements for a volume. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + /// A label selector is a label query over a set of resources. The result of matchLabels and + /// matchExpressions are ANDed. An empty label selector matches all objects. A null + /// label selector matches no objects. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, +} + +/// VolumeResourceRequirements describes the storage resource requirements for a volume. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStoragePersistentVolumeClaimResources { + /// Limits describes the maximum amount of compute resources allowed. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + /// Requests describes the minimum amount of compute resources required. + /// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + /// otherwise to an implementation-defined value. Requests cannot exceed Limits. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +/// A label selector is a label query over a set of resources. The result of matchLabels and +/// matchExpressions are ANDed. An empty label selector matches all objects. A null +/// label selector matches no objects. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStoragePersistentVolumeClaimSelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStoragePersistentVolumeClaimSelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Volume is a Kubernetes volume specification. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStorageVolume { + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub csi: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "emptyDir")] + pub empty_dir: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub nfs: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] + pub persistent_volume_claim: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStorageVolumeCsi { + pub driver: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodePublishSecretRef")] + pub node_publish_secret_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributes")] + pub volume_attributes: Option>, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#localobjectreference-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStorageVolumeCsiNodePublishSecretRef { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#emptydirvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStorageVolumeEmptyDir { + /// StorageMedium defines ways that storage can be allocated to a volume. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub medium: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sizeLimit")] + pub size_limit: Option, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#nfsvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStorageVolumeNfs { + pub path: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + pub server: String, +} + +/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct RestoreStagingStorageVolumePersistentVolumeClaim { + #[serde(rename = "claimName")] + pub claim_name: String, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, +} + /// The pod this Toleration is attached to tolerates any taint that matches /// the triple using the matching operator . #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] @@ -553,9 +700,6 @@ pub struct RestoreTolerations { /// Volume is a Kubernetes Volume object that contains a backup. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct RestoreVolume { - /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "configMap")] - pub config_map: Option, /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. #[serde(default, skip_serializing_if = "Option::is_none")] pub csi: Option, @@ -568,18 +712,6 @@ pub struct RestoreVolume { /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#persistentvolumeclaimvolumesource-v1-core. #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] pub persistent_volume_claim: Option, - /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub secret: Option, -} - -/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#configmapvolumesource-v1-core. -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct RestoreVolumeConfigMap { - #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] - pub default_mode: Option, - #[serde(default, skip_serializing_if = "Option::is_none")] - pub name: Option, } /// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#csivolumesource-v1-core. @@ -632,15 +764,6 @@ pub struct RestoreVolumePersistentVolumeClaim { pub read_only: Option, } -/// Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#secretvolumesource-v1-core. -#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct RestoreVolumeSecret { - #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] - pub default_mode: Option, - #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretName")] - pub secret_name: Option, -} - /// RestoreStatus defines the observed state of restore #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct RestoreStatus { diff --git a/kube-custom-resources-rs/src/kuadrant_io/v1alpha1/dnsrecords.rs b/kube-custom-resources-rs/src/kuadrant_io/v1alpha1/dnsrecords.rs index 421615323..0d8afe865 100644 --- a/kube-custom-resources-rs/src/kuadrant_io/v1alpha1/dnsrecords.rs +++ b/kube-custom-resources-rs/src/kuadrant_io/v1alpha1/dnsrecords.rs @@ -86,10 +86,6 @@ pub struct DNSRecordHealthCheck { /// token is required by the endpoint. #[serde(default, skip_serializing_if = "Option::is_none", rename = "additionalHeadersRef")] pub additional_headers_ref: Option, - /// AllowInsecureCertificate will instruct the health check probe to not fail on a self-signed or otherwise invalid SSL certificate - /// this is primarily used in development or testing environments - #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowInsecureCertificate")] - pub allow_insecure_certificate: Option, /// FailureThreshold is a limit of consecutive failures that must occur for a host to be considered unhealthy #[serde(default, skip_serializing_if = "Option::is_none", rename = "failureThreshold")] pub failure_threshold: Option, @@ -148,6 +144,9 @@ pub struct DNSRecordStatus { /// QueuedAt is a time when DNS record was received for the reconciliation #[serde(default, skip_serializing_if = "Option::is_none", rename = "queuedAt")] pub queued_at: Option, + /// ZoneEndpoints are all the endpoints for the DNSRecordSpec.RootHost that are present in the provider + #[serde(default, skip_serializing_if = "Option::is_none", rename = "relatedEndpoints")] + pub related_endpoints: Option>, /// ValidFor indicates duration since the last reconciliation we consider data in the record to be valid #[serde(default, skip_serializing_if = "Option::is_none", rename = "validFor")] pub valid_for: Option, @@ -218,3 +217,38 @@ pub struct DNSRecordStatusHealthCheckProbes { pub synced: Option, } +/// Endpoint is a high-level way of a connection between a service and an IP +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct DNSRecordStatusRelatedEndpoints { + /// The hostname of the DNS record + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsName")] + pub dns_name: Option, + /// Labels stores labels defined for the Endpoint + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + /// ProviderSpecific stores provider specific config + #[serde(default, skip_serializing_if = "Option::is_none", rename = "providerSpecific")] + pub provider_specific: Option>, + /// TTL for the record + #[serde(default, skip_serializing_if = "Option::is_none", rename = "recordTTL")] + pub record_ttl: Option, + /// RecordType type of record, e.g. CNAME, A, AAAA, SRV, TXT etc + #[serde(default, skip_serializing_if = "Option::is_none", rename = "recordType")] + pub record_type: Option, + /// Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple') + #[serde(default, skip_serializing_if = "Option::is_none", rename = "setIdentifier")] + pub set_identifier: Option, + /// The targets the DNS record points to + #[serde(default, skip_serializing_if = "Option::is_none")] + pub targets: Option>, +} + +/// ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct DNSRecordStatusRelatedEndpointsProviderSpecific { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + diff --git a/kube-custom-resources-rs/src/kuadrant_io/v1beta3/authpolicies.rs b/kube-custom-resources-rs/src/kuadrant_io/v1beta3/authpolicies.rs new file mode 100644 index 000000000..e4a0330c5 --- /dev/null +++ b/kube-custom-resources-rs/src/kuadrant_io/v1beta3/authpolicies.rs @@ -0,0 +1,6750 @@ +// WARNING: generated by kopium - manual changes will be overwritten +// kopium command: kopium --docs --filename=./crd-catalog/Kuadrant/kuadrant-operator/kuadrant.io/v1beta3/authpolicies.yaml --derive=Default --derive=PartialEq --smart-derive-elision +// kopium version: 0.21.1 + +#[allow(unused_imports)] +mod prelude { + pub use kube::CustomResource; + pub use serde::{Serialize, Deserialize}; + pub use std::collections::BTreeMap; + pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition; +} +use self::prelude::*; + +/// Mutual Exclusivity Validation +#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +#[kube(group = "kuadrant.io", version = "v1beta3", kind = "AuthPolicy", plural = "authpolicies")] +#[kube(namespaced)] +#[kube(status = "AuthPolicyStatus")] +#[kube(schema = "disabled")] +#[kube(derive="Default")] +#[kube(derive="PartialEq")] +pub struct AuthPolicySpec { + /// Defaults define explicit default values for this policy and for policies inheriting this policy. + /// Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub defaults: Option, + /// Overrides define explicit override values for this policy. + /// Overrides are mutually exclusive with explicit and implicit defaults defined by AuthPolicyCommonSpec. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub overrides: Option, + /// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub patterns: Option>, + /// The auth rules of the policy. + /// See Authorino's AuthConfig CRD for more details. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rules: Option, + /// TargetRef identifies an API object to apply policy to. + #[serde(rename = "targetRef")] + pub target_ref: AuthPolicyTargetRef, + /// Overall conditions for the AuthPolicy to be enforced. + /// If omitted, the AuthPolicy will be enforced at all requests to the protected routes. + /// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Defaults define explicit default values for this policy and for policies inheriting this policy. +/// Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaults { + /// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub patterns: Option>, + /// The auth rules of the policy. + /// See Authorino's AuthConfig CRD for more details. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rules: Option, + /// Overall conditions for the AuthPolicy to be enforced. + /// If omitted, the AuthPolicy will be enforced at all requests to the protected routes. + /// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsPatterns { + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsPatternsOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// The auth rules of the policy. +/// See Authorino's AuthConfig CRD for more details. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRules { + /// Authentication configs. + /// At least one config MUST evaluate to a valid identity object for the auth request to be successful. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authentication: Option>, + /// Authorization policies. + /// All policies MUST evaluate to "allowed = true" for the auth request be successful. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authorization: Option>, + /// Callback functions. + /// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub callbacks: Option>, + /// Metadata sources. + /// Authorino fetches auth metadata as JSON from sources specified in this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option>, + /// Response items. + /// Authorino builds custom responses to the client of the auth request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub response: Option, +} + +/// Authentication configs. +/// At least one config MUST evaluate to a valid identity object for the auth request to be successful. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthentication { + /// Anonymous access. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub anonymous: Option, + /// Authentication based on API keys stored in Kubernetes secrets. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiKey")] + pub api_key: Option, + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Defines where credentials are required to be passed in the request for authentication based on this config. + /// If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Set default property values (claims) for the resolved identity object, that are set before appending the object to + /// the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. + /// It requires the resolved identity object to always be a JSON object. + /// Do not use this option with identity objects of other JSON types (array, string, etc). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub defaults: Option>, + /// Authentication based on JWT tokens. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub jwt: Option, + /// Authentication by Kubernetes token review. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesTokenReview")] + pub kubernetes_token_review: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Authentication by OAuth2 token introspection. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "oauth2Introspection")] + pub oauth2_introspection: Option, + /// Overrides the resolved identity object by setting the additional properties (claims) specified in this config, + /// before appending the object to the authorization JSON. + /// It requires the resolved identity object to always be a JSON object. + /// Do not use this option with identity objects of other JSON types (array, string, etc). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub overrides: Option>, + /// Identity object extracted from the context. + /// Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authentication based on client X.509 certificates. + /// The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub x509: Option, +} + +/// Anonymous access. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationAnonymous { +} + +/// Authentication based on API keys stored in Kubernetes secrets. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationApiKey { + /// Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + /// Enabling this option in namespaced Authorino instances has no effect. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allNamespaces")] + pub all_namespaces: Option, + /// Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service + pub selector: AuthPolicyDefaultsRulesAuthenticationApiKeySelector, +} + +/// Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationApiKeySelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationApiKeySelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyDefaultsRulesAuthenticationCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Defines where credentials are required to be passed in the request for authentication based on this config. +/// If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationCredentialsQueryString { + pub name: String, +} + +/// Set default property values (claims) for the resolved identity object, that are set before appending the object to +/// the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. +/// It requires the resolved identity object to always be a JSON object. +/// Do not use this option with identity objects of other JSON types (array, string, etc). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationDefaults { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Authentication based on JWT tokens. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationJwt { + /// URL of the issuer of the JWT. + /// If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint + /// (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain + /// the "jkws_uri" claim from. + /// The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "issuerUrl")] + pub issuer_url: Option, + /// Decides how long to wait before refreshing the JWKS (in seconds). + /// If omitted, Authorino will never refresh the JWKS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Authentication by Kubernetes token review. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationKubernetesTokenReview { + /// The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + /// If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub audiences: Option>, +} + +/// Authentication by OAuth2 token introspection. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationOauth2Introspection { + /// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. + #[serde(rename = "credentialsRef")] + pub credentials_ref: AuthPolicyDefaultsRulesAuthenticationOauth2IntrospectionCredentialsRef, + /// The full URL of the token introspection endpoint. + pub endpoint: String, + /// The token type hint for the token introspection. + /// If omitted, it defaults to "access_token". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenTypeHint")] + pub token_type_hint: Option, +} + +/// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationOauth2IntrospectionCredentialsRef { + /// Name of the referent. + /// This field is effectively required, but due to backwards compatibility is + /// allowed to be empty. Instances of this type with an empty value here are + /// almost certainly wrong. + /// TODO: Add other useful fields. apiVersion, kind, uid? + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// Overrides the resolved identity object by setting the additional properties (claims) specified in this config, +/// before appending the object to the authorization JSON. +/// It requires the resolved identity object to always be a JSON object. +/// Do not use this option with identity objects of other JSON types (array, string, etc). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationOverrides { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Identity object extracted from the context. +/// Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + pub selector: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesAuthenticationWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authentication based on client X.509 certificates. +/// The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationX509 { + /// Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + /// Enabling this option in namespaced Authorino instances has no effect. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allNamespaces")] + pub all_namespaces: Option, + /// Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate + /// clients trying to authenticate to this service + pub selector: AuthPolicyDefaultsRulesAuthenticationX509Selector, +} + +/// Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate +/// clients trying to authenticate to this service +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationX509Selector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthenticationX509SelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Authorization policies. +/// All policies MUST evaluate to "allowed = true" for the auth request be successful. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorization { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Authorization by Kubernetes SubjectAccessReview + #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesSubjectAccessReview")] + pub kubernetes_subject_access_review: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Open Policy Agent (OPA) Rego policy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub opa: Option, + /// Pattern-matching authorization rules. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternMatching")] + pub pattern_matching: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Authorization decision delegated to external Authzed/SpiceDB server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub spicedb: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyDefaultsRulesAuthorizationCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Authorization by Kubernetes SubjectAccessReview +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReview { + /// Groups the user must be a member of or, if `user` is omitted, the groups to check for authorization in the Kubernetes RBAC. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub groups: Option>, + /// Use resourceAttributes to check permissions on Kubernetes resources. + /// If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceAttributes")] + pub resource_attributes: Option, + /// User to check for authorization in the Kubernetes RBAC. + /// Omit it to check for group authorization only. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub user: Option, +} + +/// Use resourceAttributes to check permissions on Kubernetes resources. +/// If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributes { + /// API group of the resource. + /// Use '*' for all API groups. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub group: Option, + /// Resource name + /// Omit it to check for authorization on all resources of the specified kind. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// Namespace where the user must have permissions on the resource. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, + /// Resource kind + /// Use '*' for all resource kinds. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource: Option, + /// Subresource kind + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subresource: Option, + /// Verb to check for authorization on the resource. + /// Use '*' for all verbs. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub verb: Option, +} + +/// API group of the resource. +/// Use '*' for all API groups. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesGroup { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Resource name +/// Omit it to check for authorization on all resources of the specified kind. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Namespace where the user must have permissions on the resource. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesNamespace { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Resource kind +/// Use '*' for all resource kinds. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesResource { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Subresource kind +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesSubresource { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Verb to check for authorization on the resource. +/// Use '*' for all verbs. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesVerb { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// User to check for authorization in the Kubernetes RBAC. +/// Omit it to check for group authorization only. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationKubernetesSubjectAccessReviewUser { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Open Policy Agent (OPA) Rego policy. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpa { + /// Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + /// Otherwise, only the default `allow` rule will be exposed. + /// Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allValues")] + pub all_values: Option, + /// Settings for fetching the OPA policy from an external registry. + /// Use it alternatively to 'rego'. + /// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', + /// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "externalPolicy")] + pub external_policy: Option, + /// Authorization policy as a Rego language document. + /// The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + /// The Rego document must NOT include the "package" declaration in line 1. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rego: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicy { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicyOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationOpaExternalPolicySharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Pattern-matching authorization rules. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationPatternMatching { + pub patterns: Vec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationPatternMatchingPatterns { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesAuthorizationPatternMatchingPatternsOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorization decision delegated to external Authzed/SpiceDB server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedb { + /// Hostname and port number to the GRPC interface of the SpiceDB server (e.g. spicedb:50051). + pub endpoint: String, + /// Insecure HTTP connection (i.e. disables TLS verification) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub insecure: Option, + /// The name of the permission (or relation) on which to execute the check. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub permission: Option, + /// The resource on which to check the permission or relation. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource: Option, + /// Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// The subject that will be checked for the permission or relation. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subject: Option, +} + +/// The name of the permission (or relation) on which to execute the check. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbPermission { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// The resource on which to check the permission or relation. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbResource { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub kind: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbResourceKind { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbResourceName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// The subject that will be checked for the permission or relation. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbSubject { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub kind: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbSubjectKind { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationSpicedbSubjectName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesAuthorizationWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesAuthorizationWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Callback functions. +/// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacks { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Settings of the external HTTP request + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyDefaultsRulesCallbacksCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttp { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesCallbacksHttpContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesCallbacksHttpMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyDefaultsRulesCallbacksHttpOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksHttpSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesCallbacksWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesCallbacksWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Metadata sources. +/// Authorino fetches auth metadata as JSON from sources specified in this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadata { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// External source of auth metadata via HTTP request + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// User-Managed Access (UMA) source of resource data. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uma: Option, + /// OpendID Connect UserInfo linked to an OIDC authentication config specified in this same AuthConfig. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "userInfo")] + pub user_info: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyDefaultsRulesMetadataCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttp { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesMetadataHttpContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesMetadataHttpMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyDefaultsRulesMetadataHttpOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataHttpSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// User-Managed Access (UMA) source of resource data. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataUma { + /// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. + #[serde(rename = "credentialsRef")] + pub credentials_ref: AuthPolicyDefaultsRulesMetadataUmaCredentialsRef, + /// The endpoint of the UMA server. + /// The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + pub endpoint: String, +} + +/// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataUmaCredentialsRef { + /// Name of the referent. + /// This field is effectively required, but due to backwards compatibility is + /// allowed to be empty. Instances of this type with an empty value here are + /// almost certainly wrong. + /// TODO: Add other useful fields. apiVersion, kind, uid? + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// OpendID Connect UserInfo linked to an OIDC authentication config specified in this same AuthConfig. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataUserInfo { + /// The name of an OIDC-enabled JWT authentication config whose OpenID Connect configuration discovered includes the OIDC "userinfo_endpoint" claim. + #[serde(rename = "identitySource")] + pub identity_source: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesMetadataWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesMetadataWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Response items. +/// Authorino builds custom responses to the client of the auth request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponse { + /// Response items to be included in the auth response when the request is authenticated and authorized. + /// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub success: Option, + /// Customizations on the denial status attributes when the request is unauthenticated. + /// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. + /// Default: 401 Unauthorized + #[serde(default, skip_serializing_if = "Option::is_none")] + pub unauthenticated: Option, + /// Customizations on the denial status attributes when the request is unauthorized. + /// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. + /// Default: 403 Forbidden + #[serde(default, skip_serializing_if = "Option::is_none")] + pub unauthorized: Option, +} + +/// Response items to be included in the auth response when the request is authenticated and authorized. +/// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccess { + /// Custom success response items wrapped as HTTP headers. + /// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. + /// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dynamicMetadata")] + pub dynamic_metadata: Option>, + /// Custom success response items wrapped as HTTP headers. + /// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, +} + +/// Custom success response items wrapped as HTTP headers. +/// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. +/// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadata { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// JSON object + /// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub json: Option, + /// The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + /// If omitted, it will be set to the name of the response config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Plain text content + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authorino Festival Wristband token + #[serde(default, skip_serializing_if = "Option::is_none")] + pub wristband: Option, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// JSON object +/// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataJson { + pub properties: BTreeMap, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataJsonProperties { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Plain text content +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorino Festival Wristband token +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataWristband { + /// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customClaims")] + pub custom_claims: Option>, + /// The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /, + /// Time span of the wristband token, in seconds. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenDuration")] + pub token_duration: Option, +} + +/// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataWristbandCustomClaims { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefs { + /// Algorithm to sign the wristband token using the signing key provided + pub algorithm: AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefsAlgorithm, + /// Name of the signing key. + /// The value is used to reference the Kubernetes secret that stores the key and in the `kid` claim of the wristband token header. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefsAlgorithm { + #[serde(rename = "ES256")] + Es256, + #[serde(rename = "ES384")] + Es384, + #[serde(rename = "ES512")] + Es512, + #[serde(rename = "RS256")] + Rs256, + #[serde(rename = "RS384")] + Rs384, + #[serde(rename = "RS512")] + Rs512, +} + +/// Custom success response items wrapped as HTTP headers. +/// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeaders { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// JSON object + /// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub json: Option, + /// The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + /// If omitted, it will be set to the name of the response config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Plain text content + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authorino Festival Wristband token + #[serde(default, skip_serializing_if = "Option::is_none")] + pub wristband: Option, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyDefaultsRulesResponseSuccessHeadersCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// JSON object +/// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersJson { + pub properties: BTreeMap, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersJsonProperties { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Plain text content +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesResponseSuccessHeadersWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorino Festival Wristband token +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersWristband { + /// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customClaims")] + pub custom_claims: Option>, + /// The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /, + /// Time span of the wristband token, in seconds. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenDuration")] + pub token_duration: Option, +} + +/// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersWristbandCustomClaims { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseSuccessHeadersWristbandSigningKeyRefs { + /// Algorithm to sign the wristband token using the signing key provided + pub algorithm: AuthPolicyDefaultsRulesResponseSuccessHeadersWristbandSigningKeyRefsAlgorithm, + /// Name of the signing key. + /// The value is used to reference the Kubernetes secret that stores the key and in the `kid` claim of the wristband token header. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsRulesResponseSuccessHeadersWristbandSigningKeyRefsAlgorithm { + #[serde(rename = "ES256")] + Es256, + #[serde(rename = "ES384")] + Es384, + #[serde(rename = "ES512")] + Es512, + #[serde(rename = "RS256")] + Rs256, + #[serde(rename = "RS384")] + Rs384, + #[serde(rename = "RS512")] + Rs512, +} + +/// Customizations on the denial status attributes when the request is unauthenticated. +/// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. +/// Default: 401 Unauthorized +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthenticated { + /// HTTP response body to override the default denial body. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// HTTP status code to override the default denial status code. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub code: Option, + /// HTTP response headers to override the default denial headers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP message to override the default denial message. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub message: Option, +} + +/// HTTP response body to override the default denial body. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthenticatedBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP response headers to override the default denial headers. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthenticatedHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP message to override the default denial message. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthenticatedMessage { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Customizations on the denial status attributes when the request is unauthorized. +/// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. +/// Default: 403 Forbidden +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthorized { + /// HTTP response body to override the default denial body. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// HTTP status code to override the default denial status code. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub code: Option, + /// HTTP response headers to override the default denial headers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP message to override the default denial message. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub message: Option, +} + +/// HTTP response body to override the default denial body. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthorizedBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP response headers to override the default denial headers. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthorizedHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP message to override the default denial message. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsRulesResponseUnauthorizedMessage { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyDefaultsWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyDefaultsWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Overrides define explicit override values for this policy. +/// Overrides are mutually exclusive with explicit and implicit defaults defined by AuthPolicyCommonSpec. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverrides { + /// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub patterns: Option>, + /// The auth rules of the policy. + /// See Authorino's AuthConfig CRD for more details. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rules: Option, + /// Overall conditions for the AuthPolicy to be enforced. + /// If omitted, the AuthPolicy will be enforced at all requests to the protected routes. + /// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesPatterns { + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesPatternsOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// The auth rules of the policy. +/// See Authorino's AuthConfig CRD for more details. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRules { + /// Authentication configs. + /// At least one config MUST evaluate to a valid identity object for the auth request to be successful. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authentication: Option>, + /// Authorization policies. + /// All policies MUST evaluate to "allowed = true" for the auth request be successful. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authorization: Option>, + /// Callback functions. + /// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub callbacks: Option>, + /// Metadata sources. + /// Authorino fetches auth metadata as JSON from sources specified in this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option>, + /// Response items. + /// Authorino builds custom responses to the client of the auth request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub response: Option, +} + +/// Authentication configs. +/// At least one config MUST evaluate to a valid identity object for the auth request to be successful. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthentication { + /// Anonymous access. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub anonymous: Option, + /// Authentication based on API keys stored in Kubernetes secrets. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiKey")] + pub api_key: Option, + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Defines where credentials are required to be passed in the request for authentication based on this config. + /// If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Set default property values (claims) for the resolved identity object, that are set before appending the object to + /// the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. + /// It requires the resolved identity object to always be a JSON object. + /// Do not use this option with identity objects of other JSON types (array, string, etc). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub defaults: Option>, + /// Authentication based on JWT tokens. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub jwt: Option, + /// Authentication by Kubernetes token review. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesTokenReview")] + pub kubernetes_token_review: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Authentication by OAuth2 token introspection. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "oauth2Introspection")] + pub oauth2_introspection: Option, + /// Overrides the resolved identity object by setting the additional properties (claims) specified in this config, + /// before appending the object to the authorization JSON. + /// It requires the resolved identity object to always be a JSON object. + /// Do not use this option with identity objects of other JSON types (array, string, etc). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub overrides: Option>, + /// Identity object extracted from the context. + /// Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authentication based on client X.509 certificates. + /// The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub x509: Option, +} + +/// Anonymous access. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationAnonymous { +} + +/// Authentication based on API keys stored in Kubernetes secrets. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationApiKey { + /// Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + /// Enabling this option in namespaced Authorino instances has no effect. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allNamespaces")] + pub all_namespaces: Option, + /// Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service + pub selector: AuthPolicyOverridesRulesAuthenticationApiKeySelector, +} + +/// Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationApiKeySelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationApiKeySelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyOverridesRulesAuthenticationCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Defines where credentials are required to be passed in the request for authentication based on this config. +/// If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationCredentialsQueryString { + pub name: String, +} + +/// Set default property values (claims) for the resolved identity object, that are set before appending the object to +/// the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. +/// It requires the resolved identity object to always be a JSON object. +/// Do not use this option with identity objects of other JSON types (array, string, etc). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationDefaults { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Authentication based on JWT tokens. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationJwt { + /// URL of the issuer of the JWT. + /// If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint + /// (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain + /// the "jkws_uri" claim from. + /// The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "issuerUrl")] + pub issuer_url: Option, + /// Decides how long to wait before refreshing the JWKS (in seconds). + /// If omitted, Authorino will never refresh the JWKS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Authentication by Kubernetes token review. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationKubernetesTokenReview { + /// The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + /// If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub audiences: Option>, +} + +/// Authentication by OAuth2 token introspection. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationOauth2Introspection { + /// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. + #[serde(rename = "credentialsRef")] + pub credentials_ref: AuthPolicyOverridesRulesAuthenticationOauth2IntrospectionCredentialsRef, + /// The full URL of the token introspection endpoint. + pub endpoint: String, + /// The token type hint for the token introspection. + /// If omitted, it defaults to "access_token". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenTypeHint")] + pub token_type_hint: Option, +} + +/// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationOauth2IntrospectionCredentialsRef { + /// Name of the referent. + /// This field is effectively required, but due to backwards compatibility is + /// allowed to be empty. Instances of this type with an empty value here are + /// almost certainly wrong. + /// TODO: Add other useful fields. apiVersion, kind, uid? + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// Overrides the resolved identity object by setting the additional properties (claims) specified in this config, +/// before appending the object to the authorization JSON. +/// It requires the resolved identity object to always be a JSON object. +/// Do not use this option with identity objects of other JSON types (array, string, etc). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationOverrides { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Identity object extracted from the context. +/// Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + pub selector: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesAuthenticationWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authentication based on client X.509 certificates. +/// The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationX509 { + /// Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + /// Enabling this option in namespaced Authorino instances has no effect. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allNamespaces")] + pub all_namespaces: Option, + /// Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate + /// clients trying to authenticate to this service + pub selector: AuthPolicyOverridesRulesAuthenticationX509Selector, +} + +/// Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate +/// clients trying to authenticate to this service +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationX509Selector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthenticationX509SelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Authorization policies. +/// All policies MUST evaluate to "allowed = true" for the auth request be successful. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorization { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Authorization by Kubernetes SubjectAccessReview + #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesSubjectAccessReview")] + pub kubernetes_subject_access_review: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Open Policy Agent (OPA) Rego policy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub opa: Option, + /// Pattern-matching authorization rules. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternMatching")] + pub pattern_matching: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Authorization decision delegated to external Authzed/SpiceDB server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub spicedb: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyOverridesRulesAuthorizationCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Authorization by Kubernetes SubjectAccessReview +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReview { + /// Groups the user must be a member of or, if `user` is omitted, the groups to check for authorization in the Kubernetes RBAC. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub groups: Option>, + /// Use resourceAttributes to check permissions on Kubernetes resources. + /// If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceAttributes")] + pub resource_attributes: Option, + /// User to check for authorization in the Kubernetes RBAC. + /// Omit it to check for group authorization only. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub user: Option, +} + +/// Use resourceAttributes to check permissions on Kubernetes resources. +/// If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributes { + /// API group of the resource. + /// Use '*' for all API groups. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub group: Option, + /// Resource name + /// Omit it to check for authorization on all resources of the specified kind. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// Namespace where the user must have permissions on the resource. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, + /// Resource kind + /// Use '*' for all resource kinds. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource: Option, + /// Subresource kind + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subresource: Option, + /// Verb to check for authorization on the resource. + /// Use '*' for all verbs. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub verb: Option, +} + +/// API group of the resource. +/// Use '*' for all API groups. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesGroup { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Resource name +/// Omit it to check for authorization on all resources of the specified kind. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Namespace where the user must have permissions on the resource. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesNamespace { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Resource kind +/// Use '*' for all resource kinds. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesResource { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Subresource kind +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesSubresource { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Verb to check for authorization on the resource. +/// Use '*' for all verbs. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesVerb { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// User to check for authorization in the Kubernetes RBAC. +/// Omit it to check for group authorization only. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationKubernetesSubjectAccessReviewUser { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Open Policy Agent (OPA) Rego policy. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpa { + /// Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + /// Otherwise, only the default `allow` rule will be exposed. + /// Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allValues")] + pub all_values: Option, + /// Settings for fetching the OPA policy from an external registry. + /// Use it alternatively to 'rego'. + /// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', + /// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "externalPolicy")] + pub external_policy: Option, + /// Authorization policy as a Rego language document. + /// The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + /// The Rego document must NOT include the "package" declaration in line 1. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rego: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicy { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicyOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationOpaExternalPolicySharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Pattern-matching authorization rules. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationPatternMatching { + pub patterns: Vec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationPatternMatchingPatterns { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesAuthorizationPatternMatchingPatternsOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorization decision delegated to external Authzed/SpiceDB server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedb { + /// Hostname and port number to the GRPC interface of the SpiceDB server (e.g. spicedb:50051). + pub endpoint: String, + /// Insecure HTTP connection (i.e. disables TLS verification) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub insecure: Option, + /// The name of the permission (or relation) on which to execute the check. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub permission: Option, + /// The resource on which to check the permission or relation. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource: Option, + /// Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// The subject that will be checked for the permission or relation. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subject: Option, +} + +/// The name of the permission (or relation) on which to execute the check. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbPermission { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// The resource on which to check the permission or relation. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbResource { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub kind: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbResourceKind { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbResourceName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// The subject that will be checked for the permission or relation. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbSubject { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub kind: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbSubjectKind { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationSpicedbSubjectName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesAuthorizationWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesAuthorizationWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Callback functions. +/// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacks { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Settings of the external HTTP request + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyOverridesRulesCallbacksCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttp { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesCallbacksHttpContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesCallbacksHttpMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyOverridesRulesCallbacksHttpOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksHttpSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesCallbacksWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesCallbacksWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Metadata sources. +/// Authorino fetches auth metadata as JSON from sources specified in this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadata { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// External source of auth metadata via HTTP request + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// User-Managed Access (UMA) source of resource data. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uma: Option, + /// OpendID Connect UserInfo linked to an OIDC authentication config specified in this same AuthConfig. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "userInfo")] + pub user_info: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyOverridesRulesMetadataCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttp { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesMetadataHttpContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesMetadataHttpMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyOverridesRulesMetadataHttpOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataHttpSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// User-Managed Access (UMA) source of resource data. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataUma { + /// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. + #[serde(rename = "credentialsRef")] + pub credentials_ref: AuthPolicyOverridesRulesMetadataUmaCredentialsRef, + /// The endpoint of the UMA server. + /// The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + pub endpoint: String, +} + +/// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataUmaCredentialsRef { + /// Name of the referent. + /// This field is effectively required, but due to backwards compatibility is + /// allowed to be empty. Instances of this type with an empty value here are + /// almost certainly wrong. + /// TODO: Add other useful fields. apiVersion, kind, uid? + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// OpendID Connect UserInfo linked to an OIDC authentication config specified in this same AuthConfig. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataUserInfo { + /// The name of an OIDC-enabled JWT authentication config whose OpenID Connect configuration discovered includes the OIDC "userinfo_endpoint" claim. + #[serde(rename = "identitySource")] + pub identity_source: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesMetadataWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesMetadataWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Response items. +/// Authorino builds custom responses to the client of the auth request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponse { + /// Response items to be included in the auth response when the request is authenticated and authorized. + /// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub success: Option, + /// Customizations on the denial status attributes when the request is unauthenticated. + /// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. + /// Default: 401 Unauthorized + #[serde(default, skip_serializing_if = "Option::is_none")] + pub unauthenticated: Option, + /// Customizations on the denial status attributes when the request is unauthorized. + /// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. + /// Default: 403 Forbidden + #[serde(default, skip_serializing_if = "Option::is_none")] + pub unauthorized: Option, +} + +/// Response items to be included in the auth response when the request is authenticated and authorized. +/// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccess { + /// Custom success response items wrapped as HTTP headers. + /// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. + /// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dynamicMetadata")] + pub dynamic_metadata: Option>, + /// Custom success response items wrapped as HTTP headers. + /// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, +} + +/// Custom success response items wrapped as HTTP headers. +/// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. +/// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadata { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// JSON object + /// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub json: Option, + /// The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + /// If omitted, it will be set to the name of the response config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Plain text content + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authorino Festival Wristband token + #[serde(default, skip_serializing_if = "Option::is_none")] + pub wristband: Option, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyOverridesRulesResponseSuccessDynamicMetadataCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// JSON object +/// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataJson { + pub properties: BTreeMap, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataJsonProperties { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Plain text content +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesResponseSuccessDynamicMetadataWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorino Festival Wristband token +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataWristband { + /// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customClaims")] + pub custom_claims: Option>, + /// The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /, + /// Time span of the wristband token, in seconds. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenDuration")] + pub token_duration: Option, +} + +/// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataWristbandCustomClaims { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefs { + /// Algorithm to sign the wristband token using the signing key provided + pub algorithm: AuthPolicyOverridesRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefsAlgorithm, + /// Name of the signing key. + /// The value is used to reference the Kubernetes secret that stores the key and in the `kid` claim of the wristband token header. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefsAlgorithm { + #[serde(rename = "ES256")] + Es256, + #[serde(rename = "ES384")] + Es384, + #[serde(rename = "ES512")] + Es512, + #[serde(rename = "RS256")] + Rs256, + #[serde(rename = "RS384")] + Rs384, + #[serde(rename = "RS512")] + Rs512, +} + +/// Custom success response items wrapped as HTTP headers. +/// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeaders { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// JSON object + /// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub json: Option, + /// The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + /// If omitted, it will be set to the name of the response config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Plain text content + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authorino Festival Wristband token + #[serde(default, skip_serializing_if = "Option::is_none")] + pub wristband: Option, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyOverridesRulesResponseSuccessHeadersCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// JSON object +/// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersJson { + pub properties: BTreeMap, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersJsonProperties { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Plain text content +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesResponseSuccessHeadersWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorino Festival Wristband token +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersWristband { + /// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customClaims")] + pub custom_claims: Option>, + /// The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /, + /// Time span of the wristband token, in seconds. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenDuration")] + pub token_duration: Option, +} + +/// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersWristbandCustomClaims { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseSuccessHeadersWristbandSigningKeyRefs { + /// Algorithm to sign the wristband token using the signing key provided + pub algorithm: AuthPolicyOverridesRulesResponseSuccessHeadersWristbandSigningKeyRefsAlgorithm, + /// Name of the signing key. + /// The value is used to reference the Kubernetes secret that stores the key and in the `kid` claim of the wristband token header. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesRulesResponseSuccessHeadersWristbandSigningKeyRefsAlgorithm { + #[serde(rename = "ES256")] + Es256, + #[serde(rename = "ES384")] + Es384, + #[serde(rename = "ES512")] + Es512, + #[serde(rename = "RS256")] + Rs256, + #[serde(rename = "RS384")] + Rs384, + #[serde(rename = "RS512")] + Rs512, +} + +/// Customizations on the denial status attributes when the request is unauthenticated. +/// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. +/// Default: 401 Unauthorized +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthenticated { + /// HTTP response body to override the default denial body. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// HTTP status code to override the default denial status code. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub code: Option, + /// HTTP response headers to override the default denial headers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP message to override the default denial message. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub message: Option, +} + +/// HTTP response body to override the default denial body. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthenticatedBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP response headers to override the default denial headers. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthenticatedHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP message to override the default denial message. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthenticatedMessage { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Customizations on the denial status attributes when the request is unauthorized. +/// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. +/// Default: 403 Forbidden +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthorized { + /// HTTP response body to override the default denial body. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// HTTP status code to override the default denial status code. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub code: Option, + /// HTTP response headers to override the default denial headers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP message to override the default denial message. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub message: Option, +} + +/// HTTP response body to override the default denial body. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthorizedBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP response headers to override the default denial headers. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthorizedHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP message to override the default denial message. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesRulesResponseUnauthorizedMessage { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyOverridesWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyOverridesWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyPatterns { + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyPatternsOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// The auth rules of the policy. +/// See Authorino's AuthConfig CRD for more details. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRules { + /// Authentication configs. + /// At least one config MUST evaluate to a valid identity object for the auth request to be successful. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authentication: Option>, + /// Authorization policies. + /// All policies MUST evaluate to "allowed = true" for the auth request be successful. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authorization: Option>, + /// Callback functions. + /// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub callbacks: Option>, + /// Metadata sources. + /// Authorino fetches auth metadata as JSON from sources specified in this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option>, + /// Response items. + /// Authorino builds custom responses to the client of the auth request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub response: Option, +} + +/// Authentication configs. +/// At least one config MUST evaluate to a valid identity object for the auth request to be successful. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthentication { + /// Anonymous access. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub anonymous: Option, + /// Authentication based on API keys stored in Kubernetes secrets. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiKey")] + pub api_key: Option, + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Defines where credentials are required to be passed in the request for authentication based on this config. + /// If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Set default property values (claims) for the resolved identity object, that are set before appending the object to + /// the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. + /// It requires the resolved identity object to always be a JSON object. + /// Do not use this option with identity objects of other JSON types (array, string, etc). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub defaults: Option>, + /// Authentication based on JWT tokens. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub jwt: Option, + /// Authentication by Kubernetes token review. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesTokenReview")] + pub kubernetes_token_review: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Authentication by OAuth2 token introspection. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "oauth2Introspection")] + pub oauth2_introspection: Option, + /// Overrides the resolved identity object by setting the additional properties (claims) specified in this config, + /// before appending the object to the authorization JSON. + /// It requires the resolved identity object to always be a JSON object. + /// Do not use this option with identity objects of other JSON types (array, string, etc). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub overrides: Option>, + /// Identity object extracted from the context. + /// Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authentication based on client X.509 certificates. + /// The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub x509: Option, +} + +/// Anonymous access. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationAnonymous { +} + +/// Authentication based on API keys stored in Kubernetes secrets. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationApiKey { + /// Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + /// Enabling this option in namespaced Authorino instances has no effect. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allNamespaces")] + pub all_namespaces: Option, + /// Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service + pub selector: AuthPolicyRulesAuthenticationApiKeySelector, +} + +/// Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationApiKeySelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationApiKeySelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyRulesAuthenticationCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Defines where credentials are required to be passed in the request for authentication based on this config. +/// If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationCredentialsQueryString { + pub name: String, +} + +/// Set default property values (claims) for the resolved identity object, that are set before appending the object to +/// the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. +/// It requires the resolved identity object to always be a JSON object. +/// Do not use this option with identity objects of other JSON types (array, string, etc). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationDefaults { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Authentication based on JWT tokens. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationJwt { + /// URL of the issuer of the JWT. + /// If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint + /// (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain + /// the "jkws_uri" claim from. + /// The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "issuerUrl")] + pub issuer_url: Option, + /// Decides how long to wait before refreshing the JWKS (in seconds). + /// If omitted, Authorino will never refresh the JWKS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Authentication by Kubernetes token review. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationKubernetesTokenReview { + /// The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + /// If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub audiences: Option>, +} + +/// Authentication by OAuth2 token introspection. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationOauth2Introspection { + /// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. + #[serde(rename = "credentialsRef")] + pub credentials_ref: AuthPolicyRulesAuthenticationOauth2IntrospectionCredentialsRef, + /// The full URL of the token introspection endpoint. + pub endpoint: String, + /// The token type hint for the token introspection. + /// If omitted, it defaults to "access_token". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenTypeHint")] + pub token_type_hint: Option, +} + +/// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationOauth2IntrospectionCredentialsRef { + /// Name of the referent. + /// This field is effectively required, but due to backwards compatibility is + /// allowed to be empty. Instances of this type with an empty value here are + /// almost certainly wrong. + /// TODO: Add other useful fields. apiVersion, kind, uid? + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// Overrides the resolved identity object by setting the additional properties (claims) specified in this config, +/// before appending the object to the authorization JSON. +/// It requires the resolved identity object to always be a JSON object. +/// Do not use this option with identity objects of other JSON types (array, string, etc). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationOverrides { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Identity object extracted from the context. +/// Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + pub selector: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesAuthenticationWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authentication based on client X.509 certificates. +/// The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationX509 { + /// Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + /// Enabling this option in namespaced Authorino instances has no effect. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allNamespaces")] + pub all_namespaces: Option, + /// Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate + /// clients trying to authenticate to this service + pub selector: AuthPolicyRulesAuthenticationX509Selector, +} + +/// Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate +/// clients trying to authenticate to this service +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationX509Selector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthenticationX509SelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// Authorization policies. +/// All policies MUST evaluate to "allowed = true" for the auth request be successful. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorization { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Authorization by Kubernetes SubjectAccessReview + #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesSubjectAccessReview")] + pub kubernetes_subject_access_review: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Open Policy Agent (OPA) Rego policy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub opa: Option, + /// Pattern-matching authorization rules. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternMatching")] + pub pattern_matching: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Authorization decision delegated to external Authzed/SpiceDB server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub spicedb: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyRulesAuthorizationCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Authorization by Kubernetes SubjectAccessReview +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReview { + /// Groups the user must be a member of or, if `user` is omitted, the groups to check for authorization in the Kubernetes RBAC. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub groups: Option>, + /// Use resourceAttributes to check permissions on Kubernetes resources. + /// If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceAttributes")] + pub resource_attributes: Option, + /// User to check for authorization in the Kubernetes RBAC. + /// Omit it to check for group authorization only. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub user: Option, +} + +/// Use resourceAttributes to check permissions on Kubernetes resources. +/// If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributes { + /// API group of the resource. + /// Use '*' for all API groups. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub group: Option, + /// Resource name + /// Omit it to check for authorization on all resources of the specified kind. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// Namespace where the user must have permissions on the resource. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, + /// Resource kind + /// Use '*' for all resource kinds. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource: Option, + /// Subresource kind + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subresource: Option, + /// Verb to check for authorization on the resource. + /// Use '*' for all verbs. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub verb: Option, +} + +/// API group of the resource. +/// Use '*' for all API groups. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesGroup { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Resource name +/// Omit it to check for authorization on all resources of the specified kind. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Namespace where the user must have permissions on the resource. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesNamespace { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Resource kind +/// Use '*' for all resource kinds. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesResource { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Subresource kind +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesSubresource { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Verb to check for authorization on the resource. +/// Use '*' for all verbs. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewResourceAttributesVerb { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// User to check for authorization in the Kubernetes RBAC. +/// Omit it to check for group authorization only. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationKubernetesSubjectAccessReviewUser { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Open Policy Agent (OPA) Rego policy. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpa { + /// Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + /// Otherwise, only the default `allow` rule will be exposed. + /// Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allValues")] + pub all_values: Option, + /// Settings for fetching the OPA policy from an external registry. + /// Use it alternatively to 'rego'. + /// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', + /// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "externalPolicy")] + pub external_policy: Option, + /// Authorization policy as a Rego language document. + /// The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + /// The Rego document must NOT include the "package" declaration in line 1. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rego: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicy { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesAuthorizationOpaExternalPolicyContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings for fetching the OPA policy from an external registry. +/// Use it alternatively to 'rego'. +/// For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', +/// 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesAuthorizationOpaExternalPolicyMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyRulesAuthorizationOpaExternalPolicyOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicyOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationOpaExternalPolicySharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Pattern-matching authorization rules. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationPatternMatching { + pub patterns: Vec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationPatternMatchingPatterns { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesAuthorizationPatternMatchingPatternsOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorization decision delegated to external Authzed/SpiceDB server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedb { + /// Hostname and port number to the GRPC interface of the SpiceDB server (e.g. spicedb:50051). + pub endpoint: String, + /// Insecure HTTP connection (i.e. disables TLS verification) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub insecure: Option, + /// The name of the permission (or relation) on which to execute the check. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub permission: Option, + /// The resource on which to check the permission or relation. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource: Option, + /// Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// The subject that will be checked for the permission or relation. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subject: Option, +} + +/// The name of the permission (or relation) on which to execute the check. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbPermission { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// The resource on which to check the permission or relation. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbResource { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub kind: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbResourceKind { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbResourceName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// The subject that will be checked for the permission or relation. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbSubject { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub kind: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbSubjectKind { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationSpicedbSubjectName { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesAuthorizationWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesAuthorizationWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Callback functions. +/// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacks { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// Settings of the external HTTP request + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyRulesCallbacksCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttp { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesCallbacksHttpContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Settings of the external HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesCallbacksHttpMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyRulesCallbacksHttpOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksHttpSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesCallbacksWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesCallbacksWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Metadata sources. +/// Authorino fetches auth metadata as JSON from sources specified in this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadata { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// External source of auth metadata via HTTP request + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// User-Managed Access (UMA) source of resource data. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uma: Option, + /// OpendID Connect UserInfo linked to an OIDC authentication config specified in this same AuthConfig. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "userInfo")] + pub user_info: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyRulesMetadataCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttp { + /// Raw body of the HTTP request. + /// Supersedes 'bodyParameters'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// Custom parameters to encode in the body of the HTTP request. + /// Superseded by 'body'; use either one or the other. + /// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "bodyParameters")] + pub body_parameters: Option>, + /// Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + /// Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "contentType")] + pub content_type: Option, + /// Defines where client credentials will be passed in the request to the service. + /// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub credentials: Option, + /// Custom headers in the HTTP request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP verb used in the request to the service. Accepted values: GET (default), POST. + /// When the request method is POST, the authorization JSON is passed in the body of the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, + /// Authentication with the HTTP service by OAuth2 Client Credentials grant. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oauth2: Option, + /// Reference to a Secret key whose value will be passed by Authorino in the request. + /// The HTTP service can use the shared secret to authenticate the origin of the request. + /// Ignored if used together with oauth2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sharedSecretRef")] + pub shared_secret_ref: Option, + /// Endpoint URL of the HTTP service. + /// The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + /// by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + /// E.g. https://ext-auth-server.io/metadata?p={request.path} + pub url: String, +} + +/// Raw body of the HTTP request. +/// Supersedes 'bodyParameters'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Custom parameters to encode in the body of the HTTP request. +/// Superseded by 'body'; use either one or the other. +/// Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpBodyParameters { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesMetadataHttpContentType { + #[serde(rename = "application/x-www-form-urlencoded")] + ApplicationXWwwFormUrlencoded, + #[serde(rename = "application/json")] + ApplicationJson, +} + +/// Defines where client credentials will be passed in the request to the service. +/// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpCredentials { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizationHeader")] + pub authorization_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cookie: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customHeader")] + pub custom_header: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryString")] + pub query_string: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpCredentialsAuthorizationHeader { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpCredentialsCookie { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpCredentialsCustomHeader { + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpCredentialsQueryString { + pub name: String, +} + +/// Custom headers in the HTTP request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// External source of auth metadata via HTTP request +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesMetadataHttpMethod { + #[serde(rename = "GET")] + Get, + #[serde(rename = "POST")] + Post, + #[serde(rename = "PUT")] + Put, + #[serde(rename = "PATCH")] + Patch, + #[serde(rename = "DELETE")] + Delete, + #[serde(rename = "HEAD")] + Head, + #[serde(rename = "OPTIONS")] + Options, + #[serde(rename = "CONNECT")] + Connect, + #[serde(rename = "TRACE")] + Trace, +} + +/// Authentication with the HTTP service by OAuth2 Client Credentials grant. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpOauth2 { + /// Caches and reuses the token until expired. + /// Set it to false to force fetch the token at every authorization request regardless of expiration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// OAuth2 Client ID. + #[serde(rename = "clientId")] + pub client_id: String, + /// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + #[serde(rename = "clientSecretRef")] + pub client_secret_ref: AuthPolicyRulesMetadataHttpOauth2ClientSecretRef, + /// Optional extra parameters for the requests to the token URL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraParams")] + pub extra_params: Option>, + /// Optional scopes for the client credentials grant, if supported by he OAuth2 server. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scopes: Option>, + /// Token endpoint URL of the OAuth2 resource server. + #[serde(rename = "tokenUrl")] + pub token_url: String, +} + +/// Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpOauth2ClientSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// Reference to a Secret key whose value will be passed by Authorino in the request. +/// The HTTP service can use the shared secret to authenticate the origin of the request. +/// Ignored if used together with oauth2. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataHttpSharedSecretRef { + /// The key of the secret to select from. Must be a valid secret key. + pub key: String, + /// The name of the secret in the Authorino's namespace to select from. + pub name: String, +} + +/// User-Managed Access (UMA) source of resource data. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataUma { + /// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. + #[serde(rename = "credentialsRef")] + pub credentials_ref: AuthPolicyRulesMetadataUmaCredentialsRef, + /// The endpoint of the UMA server. + /// The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + pub endpoint: String, +} + +/// Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataUmaCredentialsRef { + /// Name of the referent. + /// This field is effectively required, but due to backwards compatibility is + /// allowed to be empty. Instances of this type with an empty value here are + /// almost certainly wrong. + /// TODO: Add other useful fields. apiVersion, kind, uid? + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// OpendID Connect UserInfo linked to an OIDC authentication config specified in this same AuthConfig. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataUserInfo { + /// The name of an OIDC-enabled JWT authentication config whose OpenID Connect configuration discovered includes the OIDC "userinfo_endpoint" claim. + #[serde(rename = "identitySource")] + pub identity_source: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesMetadataWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesMetadataWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Response items. +/// Authorino builds custom responses to the client of the auth request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponse { + /// Response items to be included in the auth response when the request is authenticated and authorized. + /// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub success: Option, + /// Customizations on the denial status attributes when the request is unauthenticated. + /// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. + /// Default: 401 Unauthorized + #[serde(default, skip_serializing_if = "Option::is_none")] + pub unauthenticated: Option, + /// Customizations on the denial status attributes when the request is unauthorized. + /// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. + /// Default: 403 Forbidden + #[serde(default, skip_serializing_if = "Option::is_none")] + pub unauthorized: Option, +} + +/// Response items to be included in the auth response when the request is authenticated and authorized. +/// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccess { + /// Custom success response items wrapped as HTTP headers. + /// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. + /// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dynamicMetadata")] + pub dynamic_metadata: Option>, + /// Custom success response items wrapped as HTTP headers. + /// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, +} + +/// Custom success response items wrapped as HTTP headers. +/// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. +/// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadata { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// JSON object + /// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub json: Option, + /// The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + /// If omitted, it will be set to the name of the response config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Plain text content + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authorino Festival Wristband token + #[serde(default, skip_serializing_if = "Option::is_none")] + pub wristband: Option, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyRulesResponseSuccessDynamicMetadataCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// JSON object +/// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataJson { + pub properties: BTreeMap, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataJsonProperties { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Plain text content +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesResponseSuccessDynamicMetadataWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorino Festival Wristband token +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataWristband { + /// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customClaims")] + pub custom_claims: Option>, + /// The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /, + /// Time span of the wristband token, in seconds. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenDuration")] + pub token_duration: Option, +} + +/// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataWristbandCustomClaims { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefs { + /// Algorithm to sign the wristband token using the signing key provided + pub algorithm: AuthPolicyRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefsAlgorithm, + /// Name of the signing key. + /// The value is used to reference the Kubernetes secret that stores the key and in the `kid` claim of the wristband token header. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesResponseSuccessDynamicMetadataWristbandSigningKeyRefsAlgorithm { + #[serde(rename = "ES256")] + Es256, + #[serde(rename = "ES384")] + Es384, + #[serde(rename = "ES512")] + Es512, + #[serde(rename = "RS256")] + Rs256, + #[serde(rename = "RS384")] + Rs384, + #[serde(rename = "RS512")] + Rs512, +} + +/// Custom success response items wrapped as HTTP headers. +/// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeaders { + /// Caching options for the resolved object returned when applying this config. + /// Omit it to avoid caching objects for this config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cache: Option, + /// JSON object + /// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub json: Option, + /// The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + /// If omitted, it will be set to the name of the response config. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Whether this config should generate individual observability metrics + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Plain text content + #[serde(default, skip_serializing_if = "Option::is_none")] + pub plain: Option, + /// Priority group of the config. + /// All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub priority: Option, + /// Conditions for Authorino to enforce this config. + /// If omitted, the config will be enforced for all requests. + /// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub when: Option>, + /// Authorino Festival Wristband token + #[serde(default, skip_serializing_if = "Option::is_none")] + pub wristband: Option, +} + +/// Caching options for the resolved object returned when applying this config. +/// Omit it to avoid caching objects for this config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersCache { + /// Key used to store the entry in the cache. + /// The resolved key must be unique within the scope of this particular config. + pub key: AuthPolicyRulesResponseSuccessHeadersCacheKey, + /// Duration (in seconds) of the external data in the cache before pulled again from the source. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ttl: Option, +} + +/// Key used to store the entry in the cache. +/// The resolved key must be unique within the scope of this particular config. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersCacheKey { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// JSON object +/// Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersJson { + pub properties: BTreeMap, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersJsonProperties { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Plain text content +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersPlain { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesResponseSuccessHeadersWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +/// Authorino Festival Wristband token +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersWristband { + /// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customClaims")] + pub custom_claims: Option>, + /// The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /, + /// Time span of the wristband token, in seconds. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenDuration")] + pub token_duration: Option, +} + +/// Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersWristbandCustomClaims { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct AuthPolicyRulesResponseSuccessHeadersWristbandSigningKeyRefs { + /// Algorithm to sign the wristband token using the signing key provided + pub algorithm: AuthPolicyRulesResponseSuccessHeadersWristbandSigningKeyRefsAlgorithm, + /// Name of the signing key. + /// The value is used to reference the Kubernetes secret that stores the key and in the `kid` claim of the wristband token header. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyRulesResponseSuccessHeadersWristbandSigningKeyRefsAlgorithm { + #[serde(rename = "ES256")] + Es256, + #[serde(rename = "ES384")] + Es384, + #[serde(rename = "ES512")] + Es512, + #[serde(rename = "RS256")] + Rs256, + #[serde(rename = "RS384")] + Rs384, + #[serde(rename = "RS512")] + Rs512, +} + +/// Customizations on the denial status attributes when the request is unauthenticated. +/// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. +/// Default: 401 Unauthorized +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthenticated { + /// HTTP response body to override the default denial body. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// HTTP status code to override the default denial status code. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub code: Option, + /// HTTP response headers to override the default denial headers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP message to override the default denial message. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub message: Option, +} + +/// HTTP response body to override the default denial body. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthenticatedBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP response headers to override the default denial headers. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthenticatedHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP message to override the default denial message. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthenticatedMessage { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Customizations on the denial status attributes when the request is unauthorized. +/// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config. +/// Default: 403 Forbidden +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthorized { + /// HTTP response body to override the default denial body. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// HTTP status code to override the default denial status code. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub code: Option, + /// HTTP response headers to override the default denial headers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// HTTP message to override the default denial message. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub message: Option, +} + +/// HTTP response body to override the default denial body. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthorizedBody { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP response headers to override the default denial headers. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthorizedHeaders { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HTTP message to override the default denial message. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyRulesResponseUnauthorizedMessage { + /// Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// Static value + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// TargetRef identifies an API object to apply policy to. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyTargetRef { + /// Group is the group of the target resource. + pub group: String, + /// Kind is kind of the target resource. + pub kind: String, + /// Name is the name of the target resource. + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyWhen { + /// A list of pattern expressions to be evaluated as a logical AND. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub all: Option>, + /// A list of pattern expressions to be evaluated as a logical OR. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub any: Option>, + /// The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + /// Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// Reference to a named set of pattern expressions + #[serde(default, skip_serializing_if = "Option::is_none", rename = "patternRef")] + pub pattern_ref: Option, + /// Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + /// Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + /// Authorino custom JSON path modifiers are also supported. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// The value of reference for the comparison with the content fetched from the authorization JSON. + /// If used with the "matches" operator, the value must compile to a valid Golang regex. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum AuthPolicyWhenOperator { + #[serde(rename = "eq")] + Eq, + #[serde(rename = "neq")] + Neq, + #[serde(rename = "incl")] + Incl, + #[serde(rename = "excl")] + Excl, + #[serde(rename = "matches")] + Matches, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct AuthPolicyStatus { + /// Represents the observations of a foo's current state. + /// Known .status.conditions.type are: "Available" + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, + /// ObservedGeneration reflects the generation of the most recently observed spec. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "observedGeneration")] + pub observed_generation: Option, +} + diff --git a/kube-custom-resources-rs/src/kuadrant_io/v1beta3/mod.rs b/kube-custom-resources-rs/src/kuadrant_io/v1beta3/mod.rs index e2b8200da..0c781fc75 100644 --- a/kube-custom-resources-rs/src/kuadrant_io/v1beta3/mod.rs +++ b/kube-custom-resources-rs/src/kuadrant_io/v1beta3/mod.rs @@ -1 +1,2 @@ +pub mod authpolicies; pub mod ratelimitpolicies; diff --git a/kube-custom-resources-rs/src/kuadrant_io/v1beta3/ratelimitpolicies.rs b/kube-custom-resources-rs/src/kuadrant_io/v1beta3/ratelimitpolicies.rs index a17640270..346c73b0d 100644 --- a/kube-custom-resources-rs/src/kuadrant_io/v1beta3/ratelimitpolicies.rs +++ b/kube-custom-resources-rs/src/kuadrant_io/v1beta3/ratelimitpolicies.rs @@ -11,7 +11,6 @@ mod prelude { } use self::prelude::*; -/// RateLimitPolicySpec defines the desired state of RateLimitPolicy #[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)] #[kube(group = "kuadrant.io", version = "v1beta3", kind = "RateLimitPolicy", plural = "ratelimitpolicies")] #[kube(namespaced)] @@ -20,29 +19,32 @@ use self::prelude::*; #[kube(derive="Default")] #[kube(derive="PartialEq")] pub struct RateLimitPolicySpec { - /// Defaults define explicit default values for this policy and for policies inheriting this policy. - /// Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec. + /// Rules to apply as defaults. Can be overridden by more specific policiy rules lower in the hierarchy and by less specific policy overrides. + /// Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). #[serde(default, skip_serializing_if = "Option::is_none")] pub defaults: Option, /// Limits holds the struct of limits indexed by a unique name #[serde(default, skip_serializing_if = "Option::is_none")] pub limits: Option>, - /// Overrides define override values for this policy and for policies inheriting this policy. - /// Overrides are mutually exclusive with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec. + /// Rules to apply as overrides. Override all policy rules lower in the hierarchy. Can be overridden by less specific policy overrides. + /// Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). #[serde(default, skip_serializing_if = "Option::is_none")] pub overrides: Option, - /// TargetRef identifies an API object to apply policy to. + /// Reference to the object to which this policy applies. #[serde(rename = "targetRef")] pub target_ref: RateLimitPolicyTargetRef, } -/// Defaults define explicit default values for this policy and for policies inheriting this policy. -/// Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec. +/// Rules to apply as defaults. Can be overridden by more specific policiy rules lower in the hierarchy and by less specific policy overrides. +/// Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct RateLimitPolicyDefaults { /// Limits holds the struct of limits indexed by a unique name #[serde(default, skip_serializing_if = "Option::is_none")] pub limits: Option>, + /// Strategy defines the merge strategy to apply when merging this policy with other policies. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub strategy: Option, } /// Limits holds the struct of limits indexed by a unique name @@ -120,6 +122,16 @@ pub enum RateLimitPolicyDefaultsLimitsWhenOperator { Matches, } +/// Rules to apply as defaults. Can be overridden by more specific policiy rules lower in the hierarchy and by less specific policy overrides. +/// Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum RateLimitPolicyDefaultsStrategy { + #[serde(rename = "atomic")] + Atomic, + #[serde(rename = "merge")] + Merge, +} + /// Limits holds the struct of limits indexed by a unique name #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct RateLimitPolicyLimits { @@ -195,13 +207,16 @@ pub enum RateLimitPolicyLimitsWhenOperator { Matches, } -/// Overrides define override values for this policy and for policies inheriting this policy. -/// Overrides are mutually exclusive with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec. +/// Rules to apply as overrides. Override all policy rules lower in the hierarchy. Can be overridden by less specific policy overrides. +/// Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct RateLimitPolicyOverrides { /// Limits holds the struct of limits indexed by a unique name #[serde(default, skip_serializing_if = "Option::is_none")] pub limits: Option>, + /// Strategy defines the merge strategy to apply when merging this policy with other policies. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub strategy: Option, } /// Limits holds the struct of limits indexed by a unique name @@ -279,7 +294,17 @@ pub enum RateLimitPolicyOverridesLimitsWhenOperator { Matches, } -/// TargetRef identifies an API object to apply policy to. +/// Rules to apply as overrides. Override all policy rules lower in the hierarchy. Can be overridden by less specific policy overrides. +/// Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum RateLimitPolicyOverridesStrategy { + #[serde(rename = "atomic")] + Atomic, + #[serde(rename = "merge")] + Merge, +} + +/// Reference to the object to which this policy applies. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct RateLimitPolicyTargetRef { /// Group is the group of the target resource. @@ -288,9 +313,23 @@ pub struct RateLimitPolicyTargetRef { pub kind: String, /// Name is the name of the target resource. pub name: String, + /// SectionName is the name of a section within the target resource. When + /// unspecified, this targetRef targets the entire resource. In the following + /// resources, SectionName is interpreted as the following: + /// + /// + /// * Gateway: Listener name + /// * HTTPRoute: HTTPRouteRule name + /// * Service: Port name + /// + /// + /// If a SectionName is specified, but does not exist on the targeted object, + /// the Policy must fail to attach, and the policy implementation should record + /// a `ResolvedRefs` or similar Condition in the Policy's status. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sectionName")] + pub section_name: Option, } -/// RateLimitPolicyStatus defines the observed state of RateLimitPolicy #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct RateLimitPolicyStatus { /// Represents the observations of a foo's current state. diff --git a/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/clusterqueues.rs b/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/clusterqueues.rs index 67f77201b..01363f223 100644 --- a/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/clusterqueues.rs +++ b/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/clusterqueues.rs @@ -243,12 +243,16 @@ pub struct ClusterQueuePreemption { /// their nominal quota. The possible values are: /// /// - `Never` (default): do not preempt Workloads in the cohort. - /// - `LowerPriority`: if the pending Workload fits within the nominal - /// quota of its ClusterQueue, only preempt Workloads in the cohort that have - /// lower priority than the pending Workload. - /// - `Any`: if the pending Workload fits within the nominal quota of its - /// ClusterQueue, preempt any Workload in the cohort, irrespective of - /// priority. + /// - `LowerPriority`: **Classic Preemption** if the pending Workload + /// fits within the nominal quota of its ClusterQueue, only preempt + /// Workloads in the cohort that have lower priority than the pending + /// Workload. **Fair Sharing** only preempt Workloads in the cohort that + /// have lower priority than the pending Workload and that satisfy the + /// fair sharing preemptionStategies. + /// - `Any`: **Classic Preemption** if the pending Workload fits within + /// the nominal quota of its ClusterQueue, preempt any Workload in the + /// cohort, irrespective of priority. **Fair Sharing** preempt Workloads + /// in the cohort that satisfy the fair sharing preemptionStrategies. #[serde(default, skip_serializing_if = "Option::is_none", rename = "reclaimWithinCohort")] pub reclaim_within_cohort: Option, /// withinClusterQueue determines whether a pending Workload that doesn't fit diff --git a/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/localqueues.rs b/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/localqueues.rs index 3230747d8..e57aeec61 100644 --- a/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/localqueues.rs +++ b/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/localqueues.rs @@ -6,6 +6,7 @@ mod prelude { pub use kube::CustomResource; pub use serde::{Serialize, Deserialize}; + pub use std::collections::BTreeMap; pub use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString; pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition; } @@ -58,6 +59,9 @@ pub struct LocalQueueStatus { /// workloads assigned to this LocalQueue. #[serde(default, skip_serializing_if = "Option::is_none", rename = "flavorUsage")] pub flavor_usage: Option>, + /// flavors lists all currently available ResourceFlavors in specified ClusterQueue. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub flavors: Option>, /// flavorsReservation are the reserved quotas, by flavor currently in use by the /// workloads assigned to this LocalQueue. #[serde(default, skip_serializing_if = "Option::is_none", rename = "flavorsReservation")] @@ -88,6 +92,42 @@ pub struct LocalQueueStatusFlavorUsageResources { pub total: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LocalQueueStatusFlavors { + /// name of the flavor. + pub name: String, + /// nodeLabels are labels that associate the ResourceFlavor with Nodes that + /// have the same labels. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeLabels")] + pub node_labels: Option>, + /// nodeTaints are taints that the nodes associated with this ResourceFlavor + /// have. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeTaints")] + pub node_taints: Option>, + /// resources used in the flavor. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// The node this Taint is attached to has the "effect" on +/// any pod that does not tolerate the Taint. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LocalQueueStatusFlavorsNodeTaints { + /// Required. The effect of the taint on pods + /// that do not tolerate the taint. + /// Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + pub effect: String, + /// Required. The taint key to be applied to a node. + pub key: String, + /// TimeAdded represents the time at which the taint was added. + /// It is only written for NoExecute taints. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "timeAdded")] + pub time_added: Option, + /// The taint value corresponding to the taint key. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct LocalQueueStatusFlavorsReservation { /// name of the flavor. diff --git a/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/workloads.rs b/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/workloads.rs index c08062121..1446c26cf 100644 --- a/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/workloads.rs +++ b/kube-custom-resources-rs/src/kueue_x_k8s_io/v1beta1/workloads.rs @@ -31,6 +31,12 @@ pub struct WorkloadSpec { /// Defaults to true #[serde(default, skip_serializing_if = "Option::is_none")] pub active: Option, + /// maximumExecutionTimeSeconds if provided, determines the maximum time, in seconds, + /// the workload can be admitted before it's automatically deactivated. + /// + /// If unspecified, no execution time limit is enforced on the Workload. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maximumExecutionTimeSeconds")] + pub maximum_execution_time_seconds: Option, /// podSets is a list of sets of homogeneous pods, each described by a Pod spec /// and a count. /// There must be at least one element and at most 8. diff --git a/kube-custom-resources-rs/src/kyverno_io/v2/cleanuppolicies.rs b/kube-custom-resources-rs/src/kyverno_io/v2/cleanuppolicies.rs index f0debf310..1bc9f8891 100644 --- a/kube-custom-resources-rs/src/kyverno_io/v2/cleanuppolicies.rs +++ b/kube-custom-resources-rs/src/kyverno_io/v2/cleanuppolicies.rs @@ -26,6 +26,9 @@ pub struct CleanupPolicySpec { /// Context defines variables and data sources that can be used during rule execution. #[serde(default, skip_serializing_if = "Option::is_none")] pub context: Option>, + /// DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "deletionPropagationPolicy")] + pub deletion_propagation_policy: Option, /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. @@ -313,6 +316,14 @@ pub struct CleanupPolicyContextVariable { pub value: Option, } +/// Spec declares policy behaviors. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum CleanupPolicyDeletionPropagationPolicy { + Foreground, + Background, + Orphan, +} + /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. diff --git a/kube-custom-resources-rs/src/kyverno_io/v2/clustercleanuppolicies.rs b/kube-custom-resources-rs/src/kyverno_io/v2/clustercleanuppolicies.rs index 773ec691c..5941f4ec2 100644 --- a/kube-custom-resources-rs/src/kyverno_io/v2/clustercleanuppolicies.rs +++ b/kube-custom-resources-rs/src/kyverno_io/v2/clustercleanuppolicies.rs @@ -25,6 +25,9 @@ pub struct ClusterCleanupPolicySpec { /// Context defines variables and data sources that can be used during rule execution. #[serde(default, skip_serializing_if = "Option::is_none")] pub context: Option>, + /// DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "deletionPropagationPolicy")] + pub deletion_propagation_policy: Option, /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. @@ -312,6 +315,14 @@ pub struct ClusterCleanupPolicyContextVariable { pub value: Option, } +/// Spec declares policy behaviors. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ClusterCleanupPolicyDeletionPropagationPolicy { + Foreground, + Background, + Orphan, +} + /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. diff --git a/kube-custom-resources-rs/src/kyverno_io/v2beta1/cleanuppolicies.rs b/kube-custom-resources-rs/src/kyverno_io/v2beta1/cleanuppolicies.rs index ce6203494..cb8209f00 100644 --- a/kube-custom-resources-rs/src/kyverno_io/v2beta1/cleanuppolicies.rs +++ b/kube-custom-resources-rs/src/kyverno_io/v2beta1/cleanuppolicies.rs @@ -26,6 +26,9 @@ pub struct CleanupPolicySpec { /// Context defines variables and data sources that can be used during rule execution. #[serde(default, skip_serializing_if = "Option::is_none")] pub context: Option>, + /// DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "deletionPropagationPolicy")] + pub deletion_propagation_policy: Option, /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. @@ -313,6 +316,14 @@ pub struct CleanupPolicyContextVariable { pub value: Option, } +/// Spec declares policy behaviors. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum CleanupPolicyDeletionPropagationPolicy { + Foreground, + Background, + Orphan, +} + /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. diff --git a/kube-custom-resources-rs/src/kyverno_io/v2beta1/clustercleanuppolicies.rs b/kube-custom-resources-rs/src/kyverno_io/v2beta1/clustercleanuppolicies.rs index a4a4f6ab7..236a0bfe6 100644 --- a/kube-custom-resources-rs/src/kyverno_io/v2beta1/clustercleanuppolicies.rs +++ b/kube-custom-resources-rs/src/kyverno_io/v2beta1/clustercleanuppolicies.rs @@ -25,6 +25,9 @@ pub struct ClusterCleanupPolicySpec { /// Context defines variables and data sources that can be used during rule execution. #[serde(default, skip_serializing_if = "Option::is_none")] pub context: Option>, + /// DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "deletionPropagationPolicy")] + pub deletion_propagation_policy: Option, /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. @@ -312,6 +315,14 @@ pub struct ClusterCleanupPolicyContextVariable { pub value: Option, } +/// Spec declares policy behaviors. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ClusterCleanupPolicyDeletionPropagationPolicy { + Foreground, + Background, + Orphan, +} + /// ExcludeResources defines when cleanuppolicy should not be applied. The exclude /// criteria can include resource information (e.g. kind, name, namespace, labels) /// and admission review request information like the name or role. diff --git a/kube-custom-resources-rs/src/lib.rs b/kube-custom-resources-rs/src/lib.rs index 5ff673e2a..9813cbff2 100644 --- a/kube-custom-resources-rs/src/lib.rs +++ b/kube-custom-resources-rs/src/lib.rs @@ -1810,6 +1810,7 @@ apiVersion `kuadrant.io/v1beta2`: - `RateLimitPolicy` apiVersion `kuadrant.io/v1beta3`: +- `AuthPolicy` - `RateLimitPolicy` ## kube_green_com diff --git a/kube-custom-resources-rs/src/loki_grafana_com/v1/lokistacks.rs b/kube-custom-resources-rs/src/loki_grafana_com/v1/lokistacks.rs index a01122820..078b74800 100644 --- a/kube-custom-resources-rs/src/loki_grafana_com/v1/lokistacks.rs +++ b/kube-custom-resources-rs/src/loki_grafana_com/v1/lokistacks.rs @@ -118,9 +118,10 @@ pub struct LokiStackLimitsGlobal { /// IngestionLimits defines the limits applied on ingested log streams. #[serde(default, skip_serializing_if = "Option::is_none")] pub ingestion: Option, - /// OTLP to configure which resource, scope and log attributes - /// to store as labels or structured metadata or drop them altogether - /// for all tenants. + /// OTLP to configure which resource, scope and log attributes are stored as stream labels or structured metadata. + /// + /// Tenancy modes can provide a default OTLP configuration, when no custom OTLP configuration is set or even + /// enforce the use of some required attributes. #[serde(default, skip_serializing_if = "Option::is_none")] pub otlp: Option, /// QueryLimits defines the limit applied on querying log streams. @@ -173,121 +174,76 @@ pub struct LokiStackLimitsGlobalIngestion { pub per_stream_rate_limit_burst: Option, } -/// OTLP to configure which resource, scope and log attributes -/// to store as labels or structured metadata or drop them altogether -/// for all tenants. +/// OTLP to configure which resource, scope and log attributes are stored as stream labels or structured metadata. +/// +/// Tenancy modes can provide a default OTLP configuration, when no custom OTLP configuration is set or even +/// enforce the use of some required attributes. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct LokiStackLimitsGlobalOtlp { - /// IndexedResourceAttributes contains the global configuration for resource attributes - /// to store them as index labels. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "indexedResourceAttributes")] - pub indexed_resource_attributes: Option>, - /// LogAttributes contains the configuration for log attributes - /// to store them as structured metadata or drop them altogether. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "logAttributes")] - pub log_attributes: Option>, - /// ResourceAttributes contains the configuration for resource attributes - /// to store them as index labels or structured metadata or drop them altogether. + /// StreamLabels configures which resource attributes are converted to Loki stream labels. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "streamLabels")] + pub stream_labels: Option, + /// StructuredMetadata configures which attributes are saved in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "structuredMetadata")] + pub structured_metadata: Option, +} + +/// StreamLabels configures which resource attributes are converted to Loki stream labels. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsGlobalOtlpStreamLabels { + /// ResourceAttributes lists the names of the resource attributes that should be converted into Loki stream labels. #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceAttributes")] - pub resource_attributes: Option, - /// ScopeAttributes contains the configuration for scope attributes - /// to store them as structured metadata or drop them altogether. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "scopeAttributes")] - pub scope_attributes: Option>, + pub resource_attributes: Option>, } -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub struct LokiStackLimitsGlobalOtlpLogAttributes { - /// Action defines the indexing action for the selected attributes. They - /// can be either added to structured metadata or drop altogether. - pub action: LokiStackLimitsGlobalOtlpLogAttributesAction, - /// Attributes allows choosing the attributes by listing their names. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// Regex allows choosing the attributes by matching a regular expression. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsGlobalOtlpStreamLabelsResourceAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub regex: Option, + pub regex: Option, } -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub enum LokiStackLimitsGlobalOtlpLogAttributesAction { - #[serde(rename = "structured_metadata")] - StructuredMetadata, - #[serde(rename = "drop")] - Drop, +/// StructuredMetadata configures which attributes are saved in structured metadata. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsGlobalOtlpStructuredMetadata { + /// LogAttributes lists the names of log attributes that should be included in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "logAttributes")] + pub log_attributes: Option>, + /// ResourceAttributes lists the names of resource attributes that should be included in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceAttributes")] + pub resource_attributes: Option>, + /// ScopeAttributes lists the names of scope attributes that should be included in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "scopeAttributes")] + pub scope_attributes: Option>, } -/// ResourceAttributes contains the configuration for resource attributes -/// to store them as index labels or structured metadata or drop them altogether. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct LokiStackLimitsGlobalOtlpResourceAttributes { - /// Attributes contains the configuration for resource attributes - /// to store them as index labels or structured metadata or drop them altogether. +pub struct LokiStackLimitsGlobalOtlpStructuredMetadataLogAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// IgnoreDefaults controls whether to ignore the global configuration for resource attributes - /// indexed as labels. - /// - /// If IgnoreDefaults is true, then this spec needs to contain at least one mapping to a index label. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreDefaults")] - pub ignore_defaults: Option, + pub regex: Option, } -/// OTLPResourceAttributesConfigSpec contains the configuration for a set of resource attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub struct LokiStackLimitsGlobalOtlpResourceAttributesAttributes { - /// Action defines the indexing action for the selected resoure attributes. They - /// can be either indexed as labels, added to structured metadata or drop altogether. - pub action: LokiStackLimitsGlobalOtlpResourceAttributesAttributesAction, - /// Attributes is the list of attributes to configure indexing or drop them - /// altogether. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// Regex allows choosing the attributes by matching a regular expression. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsGlobalOtlpStructuredMetadataResourceAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub regex: Option, -} - -/// OTLPResourceAttributesConfigSpec contains the configuration for a set of resource attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub enum LokiStackLimitsGlobalOtlpResourceAttributesAttributesAction { - #[serde(rename = "index_label")] - IndexLabel, - #[serde(rename = "structured_metadata")] - StructuredMetadata, - #[serde(rename = "drop")] - Drop, + pub regex: Option, } -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub struct LokiStackLimitsGlobalOtlpScopeAttributes { - /// Action defines the indexing action for the selected attributes. They - /// can be either added to structured metadata or drop altogether. - pub action: LokiStackLimitsGlobalOtlpScopeAttributesAction, - /// Attributes allows choosing the attributes by listing their names. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// Regex allows choosing the attributes by matching a regular expression. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsGlobalOtlpStructuredMetadataScopeAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub regex: Option, -} - -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub enum LokiStackLimitsGlobalOtlpScopeAttributesAction { - #[serde(rename = "structured_metadata")] - StructuredMetadata, - #[serde(rename = "drop")] - Drop, + pub regex: Option, } /// QueryLimits defines the limit applied on querying log streams. @@ -344,9 +300,12 @@ pub struct LokiStackLimitsTenants { /// IngestionLimits defines the limits applied on ingested log streams. #[serde(default, skip_serializing_if = "Option::is_none")] pub ingestion: Option, - /// OTLP to configure which resource, scope and log attributes - /// to store as labels or structured metadata or drop them altogether - /// for a single tenants. + /// OTLP to configure which resource, scope and log attributes are stored as stream labels or structured metadata. + /// + /// Tenancy modes can provide a default OTLP configuration, when no custom OTLP configuration is set or even + /// enforce the use of some required attributes. + /// + /// The per-tenant configuration for OTLP attributes will be merged with the global configuration. #[serde(default, skip_serializing_if = "Option::is_none")] pub otlp: Option, /// QueryLimits defines the limit applied on querying log streams. @@ -399,117 +358,78 @@ pub struct LokiStackLimitsTenantsIngestion { pub per_stream_rate_limit_burst: Option, } -/// OTLP to configure which resource, scope and log attributes -/// to store as labels or structured metadata or drop them altogether -/// for a single tenants. +/// OTLP to configure which resource, scope and log attributes are stored as stream labels or structured metadata. +/// +/// Tenancy modes can provide a default OTLP configuration, when no custom OTLP configuration is set or even +/// enforce the use of some required attributes. +/// +/// The per-tenant configuration for OTLP attributes will be merged with the global configuration. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct LokiStackLimitsTenantsOtlp { - /// LogAttributes contains the configuration for log attributes - /// to store them as structured metadata or drop them altogether. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "logAttributes")] - pub log_attributes: Option>, - /// ResourceAttributes contains the configuration for resource attributes - /// to store them as index labels or structured metadata or drop them altogether. + /// StreamLabels configures which resource attributes are converted to Loki stream labels. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "streamLabels")] + pub stream_labels: Option, + /// StructuredMetadata configures which attributes are saved in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "structuredMetadata")] + pub structured_metadata: Option, +} + +/// StreamLabels configures which resource attributes are converted to Loki stream labels. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsTenantsOtlpStreamLabels { + /// ResourceAttributes lists the names of the resource attributes that should be converted into Loki stream labels. #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceAttributes")] - pub resource_attributes: Option, - /// ScopeAttributes contains the configuration for scope attributes - /// to store them as structured metadata or drop them altogether. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "scopeAttributes")] - pub scope_attributes: Option>, + pub resource_attributes: Option>, } -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub struct LokiStackLimitsTenantsOtlpLogAttributes { - /// Action defines the indexing action for the selected attributes. They - /// can be either added to structured metadata or drop altogether. - pub action: LokiStackLimitsTenantsOtlpLogAttributesAction, - /// Attributes allows choosing the attributes by listing their names. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// Regex allows choosing the attributes by matching a regular expression. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsTenantsOtlpStreamLabelsResourceAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub regex: Option, + pub regex: Option, } -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub enum LokiStackLimitsTenantsOtlpLogAttributesAction { - #[serde(rename = "structured_metadata")] - StructuredMetadata, - #[serde(rename = "drop")] - Drop, +/// StructuredMetadata configures which attributes are saved in structured metadata. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsTenantsOtlpStructuredMetadata { + /// LogAttributes lists the names of log attributes that should be included in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "logAttributes")] + pub log_attributes: Option>, + /// ResourceAttributes lists the names of resource attributes that should be included in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceAttributes")] + pub resource_attributes: Option>, + /// ScopeAttributes lists the names of scope attributes that should be included in structured metadata. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "scopeAttributes")] + pub scope_attributes: Option>, } -/// ResourceAttributes contains the configuration for resource attributes -/// to store them as index labels or structured metadata or drop them altogether. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] -pub struct LokiStackLimitsTenantsOtlpResourceAttributes { - /// Attributes contains the configuration for resource attributes - /// to store them as index labels or structured metadata or drop them altogether. +pub struct LokiStackLimitsTenantsOtlpStructuredMetadataLogAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// IgnoreDefaults controls whether to ignore the global configuration for resource attributes - /// indexed as labels. - /// - /// If IgnoreDefaults is true, then this spec needs to contain at least one mapping to a index label. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreDefaults")] - pub ignore_defaults: Option, + pub regex: Option, } -/// OTLPResourceAttributesConfigSpec contains the configuration for a set of resource attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub struct LokiStackLimitsTenantsOtlpResourceAttributesAttributes { - /// Action defines the indexing action for the selected resoure attributes. They - /// can be either indexed as labels, added to structured metadata or drop altogether. - pub action: LokiStackLimitsTenantsOtlpResourceAttributesAttributesAction, - /// Attributes is the list of attributes to configure indexing or drop them - /// altogether. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// Regex allows choosing the attributes by matching a regular expression. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsTenantsOtlpStructuredMetadataResourceAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub regex: Option, -} - -/// OTLPResourceAttributesConfigSpec contains the configuration for a set of resource attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub enum LokiStackLimitsTenantsOtlpResourceAttributesAttributesAction { - #[serde(rename = "index_label")] - IndexLabel, - #[serde(rename = "structured_metadata")] - StructuredMetadata, - #[serde(rename = "drop")] - Drop, + pub regex: Option, } -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub struct LokiStackLimitsTenantsOtlpScopeAttributes { - /// Action defines the indexing action for the selected attributes. They - /// can be either added to structured metadata or drop altogether. - pub action: LokiStackLimitsTenantsOtlpScopeAttributesAction, - /// Attributes allows choosing the attributes by listing their names. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub attributes: Option>, - /// Regex allows choosing the attributes by matching a regular expression. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackLimitsTenantsOtlpStructuredMetadataScopeAttributes { + /// Name contains either a verbatim name of an attribute or a regular expression matching many attributes. + pub name: String, + /// If Regex is true, then Name is treated as a regular expression instead of as a verbatim attribute name. #[serde(default, skip_serializing_if = "Option::is_none")] - pub regex: Option, -} - -/// OTLPAttributesSpec contains the configuration for a set of attributes -/// to store them as index labels or structured metadata or drop them altogether. -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] -pub enum LokiStackLimitsTenantsOtlpScopeAttributesAction { - #[serde(rename = "structured_metadata")] - StructuredMetadata, - #[serde(rename = "drop")] - Drop, + pub regex: Option, } /// QueryLimits defines the limit applied on querying log streams. @@ -706,6 +626,8 @@ pub struct LokiStackRulesSelectorMatchExpressions { pub enum LokiStackSize { #[serde(rename = "1x.demo")] r#_1xDemo, + #[serde(rename = "1x.pico")] + r#_1xPico, #[serde(rename = "1x.extra-small")] r#_1xExtraSmall, #[serde(rename = "1x.small")] @@ -3226,6 +3148,28 @@ pub struct LokiStackTenantsOpenshift { /// - dedicated-admin #[serde(default, skip_serializing_if = "Option::is_none", rename = "adminGroups")] pub admin_groups: Option>, + /// OTLP contains settings for ingesting data using OTLP in the OpenShift tenancy mode. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub otlp: Option, +} + +/// OTLP contains settings for ingesting data using OTLP in the OpenShift tenancy mode. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct LokiStackTenantsOpenshiftOtlp { + /// DisableRecommendedAttributes can be used to reduce the number of attributes used for stream labels and structured + /// metadata. + /// + /// Enabling this setting removes the "recommended attributes" from the generated Loki configuration. This will cause + /// meta information to not be available as stream labels or structured metadata, potentially making queries more + /// expensive and less performant. + /// + /// Note that there is a set of "required attributes", needed for OpenShift Logging to work properly. Those will be + /// added to the configuration, even if this field is set to true. + /// + /// This option is supposed to be combined with a custom label configuration customizing the labels for the specific + /// usecase. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disableRecommendedAttributes")] + pub disable_recommended_attributes: Option, } /// LokiStack CR spec Status. diff --git a/kube-custom-resources-rs/src/metal3_io/v1alpha1/bmceventsubscriptions.rs b/kube-custom-resources-rs/src/metal3_io/v1alpha1/bmceventsubscriptions.rs index a21d8c340..83bb3d3f8 100644 --- a/kube-custom-resources-rs/src/metal3_io/v1alpha1/bmceventsubscriptions.rs +++ b/kube-custom-resources-rs/src/metal3_io/v1alpha1/bmceventsubscriptions.rs @@ -26,12 +26,14 @@ pub struct BMCEventSubscriptionSpec { /// A reference to a BareMetalHost #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostName")] pub host_name: Option, - /// A secret containing HTTP headers which should be passed along to the Destination when making a request + /// A secret containing HTTP headers which should be passed along to the Destination + /// when making a request #[serde(default, skip_serializing_if = "Option::is_none", rename = "httpHeadersRef")] pub http_headers_ref: Option, } -/// A secret containing HTTP headers which should be passed along to the Destination when making a request +/// A secret containing HTTP headers which should be passed along to the Destination +/// when making a request #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct BMCEventSubscriptionHttpHeadersRef { /// name is unique within a namespace to reference a secret resource. diff --git a/kube-custom-resources-rs/src/metal3_io/v1alpha1/dataimages.rs b/kube-custom-resources-rs/src/metal3_io/v1alpha1/dataimages.rs index cbfb84bdd..2cfc5d80b 100644 --- a/kube-custom-resources-rs/src/metal3_io/v1alpha1/dataimages.rs +++ b/kube-custom-resources-rs/src/metal3_io/v1alpha1/dataimages.rs @@ -18,7 +18,8 @@ use self::prelude::*; #[kube(derive="Default")] #[kube(derive="PartialEq")] pub struct DataImageSpec { - /// Url is the address of the dataImage that we want to attach to a BareMetalHost + /// Url is the address of the dataImage that we want to attach + /// to a BareMetalHost pub url: String, } diff --git a/kube-custom-resources-rs/src/metal3_io/v1alpha1/firmwareschemas.rs b/kube-custom-resources-rs/src/metal3_io/v1alpha1/firmwareschemas.rs index bb5170ac1..6cfedd65e 100644 --- a/kube-custom-resources-rs/src/metal3_io/v1alpha1/firmwareschemas.rs +++ b/kube-custom-resources-rs/src/metal3_io/v1alpha1/firmwareschemas.rs @@ -49,7 +49,8 @@ pub struct FirmwareSchemaSchema { /// Whether or not this setting is read only. #[serde(default, skip_serializing_if = "Option::is_none")] pub read_only: Option, - /// Whether or not this setting's value is unique to this node, e.g. a serial number. + /// Whether or not this setting's value is unique to this node, e.g. + /// a serial number. #[serde(default, skip_serializing_if = "Option::is_none")] pub unique: Option, /// The highest value for an Integer type setting. diff --git a/kube-custom-resources-rs/src/metal3_io/v1alpha1/hardwaredata.rs b/kube-custom-resources-rs/src/metal3_io/v1alpha1/hardwaredata.rs index ccc8d358d..71cb6e67c 100644 --- a/kube-custom-resources-rs/src/metal3_io/v1alpha1/hardwaredata.rs +++ b/kube-custom-resources-rs/src/metal3_io/v1alpha1/hardwaredata.rs @@ -88,7 +88,9 @@ pub struct HardwareDataHardwareFirmwareBios { /// NIC describes one network interface on the host. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct HardwareDataHardwareNics { - /// The IP address of the interface. This will be an IPv4 or IPv6 address if one is present. If both IPv4 and IPv6 addresses are present in a dual-stack environment, two nics will be output, one with each IP. + /// The IP address of the interface. This will be an IPv4 or IPv6 address + /// if one is present. If both IPv4 and IPv6 addresses are present in a + /// dual-stack environment, two nics will be output, one with each IP. #[serde(default, skip_serializing_if = "Option::is_none")] pub ip: Option, /// The device MAC address @@ -127,7 +129,9 @@ pub struct HardwareDataHardwareNicsVlans { /// Storage describes one storage device (disk, SSD, etc.) on the host. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct HardwareDataHardwareStorage { - /// A list of alternate Linux device names of the disk, e.g. "/dev/sda". Note that this list is not exhaustive, and names may not be stable across reboots. + /// A list of alternate Linux device names of the disk, e.g. "/dev/sda". + /// Note that this list is not exhaustive, and names may not be stable + /// across reboots. #[serde(default, skip_serializing_if = "Option::is_none", rename = "alternateNames")] pub alternate_names: Option>, /// The SCSI location of the device @@ -136,10 +140,15 @@ pub struct HardwareDataHardwareStorage { /// Hardware model #[serde(default, skip_serializing_if = "Option::is_none")] pub model: Option, - /// A Linux device name of the disk, e.g. "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0". This will be a name that is stable across reboots if one is available. + /// A Linux device name of the disk, e.g. + /// "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0". This will be a name + /// that is stable across reboots if one is available. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, - /// Whether this disk represents rotational storage. This field is not recommended for usage, please prefer using 'Type' field instead, this field will be deprecated eventually. + /// Whether this disk represents rotational storage. + /// This field is not recommended for usage, please + /// prefer using 'Type' field instead, this field + /// will be deprecated eventually. #[serde(default, skip_serializing_if = "Option::is_none")] pub rotational: Option, /// The serial number of the device diff --git a/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwarecomponents.rs b/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwarecomponents.rs index 00026d86e..434e2d48d 100644 --- a/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwarecomponents.rs +++ b/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwarecomponents.rs @@ -41,7 +41,8 @@ pub struct HostFirmwareComponentsStatus { /// Time that the status was last updated #[serde(default, skip_serializing_if = "Option::is_none", rename = "lastUpdated")] pub last_updated: Option, - /// Updates is the list of all firmware components that should be updated they are specified via name and url fields. + /// Updates is the list of all firmware components that should be updated + /// they are specified via name and url fields. #[serde(default, skip_serializing_if = "Option::is_none")] pub updates: Option>, } diff --git a/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwaresettings.rs b/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwaresettings.rs index 56c9c2474..61656c32f 100644 --- a/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwaresettings.rs +++ b/kube-custom-resources-rs/src/metal3_io/v1alpha1/hostfirmwaresettings.rs @@ -34,14 +34,18 @@ pub struct HostFirmwareSettingsStatus { /// Time that the status was last updated #[serde(default, skip_serializing_if = "Option::is_none", rename = "lastUpdated")] pub last_updated: Option, - /// FirmwareSchema is a reference to the Schema used to describe each FirmwareSetting. By default, this will be a Schema in the same Namespace as the settings but it can be overwritten in the Spec + /// FirmwareSchema is a reference to the Schema used to describe each + /// FirmwareSetting. By default, this will be a Schema in the same + /// Namespace as the settings but it can be overwritten in the Spec #[serde(default, skip_serializing_if = "Option::is_none")] pub schema: Option, /// Settings are the firmware settings stored as name/value pairs pub settings: BTreeMap, } -/// FirmwareSchema is a reference to the Schema used to describe each FirmwareSetting. By default, this will be a Schema in the same Namespace as the settings but it can be overwritten in the Spec +/// FirmwareSchema is a reference to the Schema used to describe each +/// FirmwareSetting. By default, this will be a Schema in the same +/// Namespace as the settings but it can be overwritten in the Spec #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct HostFirmwareSettingsStatusSchema { /// `name` is the reference to the schema. diff --git a/kube-custom-resources-rs/src/metal3_io/v1alpha1/preprovisioningimages.rs b/kube-custom-resources-rs/src/metal3_io/v1alpha1/preprovisioningimages.rs index c8d2e71a3..f79683152 100644 --- a/kube-custom-resources-rs/src/metal3_io/v1alpha1/preprovisioningimages.rs +++ b/kube-custom-resources-rs/src/metal3_io/v1alpha1/preprovisioningimages.rs @@ -25,7 +25,8 @@ pub struct PreprovisioningImageSpec { /// architecture is the processor architecture for which to build the image. #[serde(default, skip_serializing_if = "Option::is_none")] pub architecture: Option, - /// networkDataName is the name of a Secret in the local namespace that contains network data to build in to the image. + /// networkDataName is the name of a Secret in the local namespace that + /// contains network data to build in to the image. #[serde(default, skip_serializing_if = "Option::is_none", rename = "networkDataName")] pub network_data_name: Option, } @@ -39,19 +40,23 @@ pub struct PreprovisioningImageStatus { /// conditions describe the state of the built image #[serde(default, skip_serializing_if = "Option::is_none")] pub conditions: Option>, - /// extraKernelParams is a string with extra parameters to pass to the kernel when booting the image over network. Only makes sense for initrd images. + /// extraKernelParams is a string with extra parameters to pass to the + /// kernel when booting the image over network. Only makes sense for initrd images. #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraKernelParams")] pub extra_kernel_params: Option, - /// format is the type of image that is available at the download url: either iso or initrd. + /// format is the type of image that is available at the download url: + /// either iso or initrd. #[serde(default, skip_serializing_if = "Option::is_none")] pub format: Option, /// imageUrl is the URL from which the built image can be downloaded. #[serde(default, skip_serializing_if = "Option::is_none", rename = "imageUrl")] pub image_url: Option, - /// kernelUrl is the URL from which the kernel of the image can be downloaded. Only makes sense for initrd images. + /// kernelUrl is the URL from which the kernel of the image can be downloaded. + /// Only makes sense for initrd images. #[serde(default, skip_serializing_if = "Option::is_none", rename = "kernelUrl")] pub kernel_url: Option, - /// networkData is a reference to the version of the Secret containing the network data used to build the image. + /// networkData is a reference to the version of the Secret containing the + /// network data used to build the image. #[serde(default, skip_serializing_if = "Option::is_none", rename = "networkData")] pub network_data: Option, } @@ -65,7 +70,8 @@ pub enum PreprovisioningImageStatusFormat { Initrd, } -/// networkData is a reference to the version of the Secret containing the network data used to build the image. +/// networkData is a reference to the version of the Secret containing the +/// network data used to build the image. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct PreprovisioningImageStatusNetworkData { #[serde(default, skip_serializing_if = "Option::is_none")] diff --git a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/podmonitors.rs b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/podmonitors.rs index 6108efa15..ec5cc9183 100644 --- a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/podmonitors.rs +++ b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/podmonitors.rs @@ -68,6 +68,16 @@ pub struct PodMonitorSpec { /// By default, the pods are discovered in the same namespace as the `PodMonitor` object but it is possible to select pods across different/all namespaces. #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")] pub namespace_selector: Option, + /// If there are more than this many buckets in a native histogram, + /// buckets will be merged to stay within the limit. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramBucketLimit")] + pub native_histogram_bucket_limit: Option, + /// If the growth factor of one bucket to the next is smaller than this, + /// buckets will be merged to increase the factor sufficiently. + /// It requires Prometheus >= v2.50.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramMinBucketFactor")] + pub native_histogram_min_bucket_factor: Option, /// Defines how to scrape metrics from the selected pods. #[serde(default, skip_serializing_if = "Option::is_none", rename = "podMetricsEndpoints")] pub pod_metrics_endpoints: Option>, @@ -82,6 +92,10 @@ pub struct PodMonitorSpec { /// The scrape class to apply. #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClass")] pub scrape_class: Option, + /// Whether to scrape a classic histogram that is also exposed as a native histogram. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClassicHistograms")] + pub scrape_classic_histograms: Option, /// `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the /// protocols supported by Prometheus in order of preference (from most to least preferred). /// diff --git a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/probes.rs b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/probes.rs index 16a754bcb..f60c6dd3f 100644 --- a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/probes.rs +++ b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/probes.rs @@ -7,6 +7,7 @@ mod prelude { pub use kube::CustomResource; pub use serde::{Serialize, Deserialize}; pub use std::collections::BTreeMap; + pub use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString; } use self::prelude::*; @@ -63,6 +64,16 @@ pub struct ProbeSpec { /// https://github.com/prometheus/blackbox_exporter/blob/master/example.yml #[serde(default, skip_serializing_if = "Option::is_none")] pub module: Option, + /// If there are more than this many buckets in a native histogram, + /// buckets will be merged to stay within the limit. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramBucketLimit")] + pub native_histogram_bucket_limit: Option, + /// If the growth factor of one bucket to the next is smaller than this, + /// buckets will be merged to increase the factor sufficiently. + /// It requires Prometheus >= v2.50.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramMinBucketFactor")] + pub native_histogram_min_bucket_factor: Option, /// OAuth2 for the URL. Only valid in Prometheus versions 2.27.0 and newer. #[serde(default, skip_serializing_if = "Option::is_none")] pub oauth2: Option, @@ -76,6 +87,10 @@ pub struct ProbeSpec { /// The scrape class to apply. #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClass")] pub scrape_class: Option, + /// Whether to scrape a classic histogram that is also exposed as a native histogram. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClassicHistograms")] + pub scrape_classic_histograms: Option, /// `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the /// protocols supported by Prometheus in order of preference (from most to least preferred). /// diff --git a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/prometheuses.rs b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/prometheuses.rs index b51bc476a..63a7a273d 100644 --- a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/prometheuses.rs +++ b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/prometheuses.rs @@ -569,6 +569,12 @@ pub struct PrometheusSpec { /// Defines the list of remote write configurations. #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteWrite")] pub remote_write: Option>, + /// List of the protobuf message versions to accept when receiving the + /// remote writes. + /// + /// It requires Prometheus >= v2.54.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteWriteReceiverMessageVersions")] + pub remote_write_receiver_message_versions: Option>, /// Name of Prometheus external label used to denote the replica name. /// The external label will _not_ be added when the field is set to the /// empty string (`""`). @@ -6045,6 +6051,20 @@ pub struct PrometheusRemoteWrite { /// It requires Prometheus >= v2.25.0. #[serde(default, skip_serializing_if = "Option::is_none")] pub headers: Option>, + /// The Remote Write message's version to use when writing to the endpoint. + /// + /// `Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0. + /// `Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0. + /// + /// When `Version2.0` is selected, Prometheus will automatically be + /// configured to append the metadata of scraped metrics to the WAL. + /// + /// Before setting this field, consult with your remote storage provider + /// what message version it supports. + /// + /// It requires Prometheus >= v2.54.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "messageVersion")] + pub message_version: Option, /// MetadataConfig configures the sending of series metadata to the remote storage. #[serde(default, skip_serializing_if = "Option::is_none", rename = "metadataConfig")] pub metadata_config: Option, @@ -6089,7 +6109,7 @@ pub struct PrometheusRemoteWrite { #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteTimeout")] pub remote_timeout: Option, /// Enables sending of exemplars over remote write. Note that - /// exemplar-storage itself must be enabled using the `spec.enableFeature` + /// exemplar-storage itself must be enabled using the `spec.enableFeatures` /// option for exemplars to be scraped in the first place. /// /// It requires Prometheus >= v2.27.0. @@ -6304,6 +6324,16 @@ pub struct PrometheusRemoteWriteBasicAuthUsername { pub optional: Option, } +/// RemoteWriteSpec defines the configuration to write samples from Prometheus +/// to a remote endpoint. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum PrometheusRemoteWriteMessageVersion { + #[serde(rename = "V1.0")] + V10, + #[serde(rename = "V2.0")] + V20, +} + /// MetadataConfig configures the sending of series metadata to the remote storage. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct PrometheusRemoteWriteMetadataConfig { diff --git a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/servicemonitors.rs b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/servicemonitors.rs index 8912a5ad1..26516bf8a 100644 --- a/kube-custom-resources-rs/src/monitoring_coreos_com/v1/servicemonitors.rs +++ b/kube-custom-resources-rs/src/monitoring_coreos_com/v1/servicemonitors.rs @@ -73,6 +73,16 @@ pub struct ServiceMonitorSpec { /// By default, the services are discovered in the same namespace as the `ServiceMonitor` object but it is possible to select pods across different/all namespaces. #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")] pub namespace_selector: Option, + /// If there are more than this many buckets in a native histogram, + /// buckets will be merged to stay within the limit. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramBucketLimit")] + pub native_histogram_bucket_limit: Option, + /// If the growth factor of one bucket to the next is smaller than this, + /// buckets will be merged to increase the factor sufficiently. + /// It requires Prometheus >= v2.50.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramMinBucketFactor")] + pub native_histogram_min_bucket_factor: Option, /// `podTargetLabels` defines the labels which are transferred from the /// associated Kubernetes `Pod` object onto the ingested metrics. #[serde(default, skip_serializing_if = "Option::is_none", rename = "podTargetLabels")] @@ -84,6 +94,10 @@ pub struct ServiceMonitorSpec { /// The scrape class to apply. #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClass")] pub scrape_class: Option, + /// Whether to scrape a classic histogram that is also exposed as a native histogram. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClassicHistograms")] + pub scrape_classic_histograms: Option, /// `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the /// protocols supported by Prometheus in order of preference (from most to least preferred). /// diff --git a/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/prometheusagents.rs b/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/prometheusagents.rs index e8d9f8e33..52c8e93a9 100644 --- a/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/prometheusagents.rs +++ b/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/prometheusagents.rs @@ -484,6 +484,12 @@ pub struct PrometheusAgentSpec { /// Defines the list of remote write configurations. #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteWrite")] pub remote_write: Option>, + /// List of the protobuf message versions to accept when receiving the + /// remote writes. + /// + /// It requires Prometheus >= v2.54.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteWriteReceiverMessageVersions")] + pub remote_write_receiver_message_versions: Option>, /// Name of Prometheus external label used to denote the replica name. /// The external label will _not_ be added when the field is set to the /// empty string (`""`). @@ -4575,6 +4581,20 @@ pub struct PrometheusAgentRemoteWrite { /// It requires Prometheus >= v2.25.0. #[serde(default, skip_serializing_if = "Option::is_none")] pub headers: Option>, + /// The Remote Write message's version to use when writing to the endpoint. + /// + /// `Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0. + /// `Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0. + /// + /// When `Version2.0` is selected, Prometheus will automatically be + /// configured to append the metadata of scraped metrics to the WAL. + /// + /// Before setting this field, consult with your remote storage provider + /// what message version it supports. + /// + /// It requires Prometheus >= v2.54.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "messageVersion")] + pub message_version: Option, /// MetadataConfig configures the sending of series metadata to the remote storage. #[serde(default, skip_serializing_if = "Option::is_none", rename = "metadataConfig")] pub metadata_config: Option, @@ -4619,7 +4639,7 @@ pub struct PrometheusAgentRemoteWrite { #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteTimeout")] pub remote_timeout: Option, /// Enables sending of exemplars over remote write. Note that - /// exemplar-storage itself must be enabled using the `spec.enableFeature` + /// exemplar-storage itself must be enabled using the `spec.enableFeatures` /// option for exemplars to be scraped in the first place. /// /// It requires Prometheus >= v2.27.0. @@ -4834,6 +4854,16 @@ pub struct PrometheusAgentRemoteWriteBasicAuthUsername { pub optional: Option, } +/// RemoteWriteSpec defines the configuration to write samples from Prometheus +/// to a remote endpoint. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum PrometheusAgentRemoteWriteMessageVersion { + #[serde(rename = "V1.0")] + V10, + #[serde(rename = "V2.0")] + V20, +} + /// MetadataConfig configures the sending of series metadata to the remote storage. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct PrometheusAgentRemoteWriteMetadataConfig { diff --git a/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/scrapeconfigs.rs b/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/scrapeconfigs.rs index 705e8a77b..3bdafaafc 100644 --- a/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/scrapeconfigs.rs +++ b/kube-custom-resources-rs/src/monitoring_coreos_com/v1alpha1/scrapeconfigs.rs @@ -7,6 +7,7 @@ mod prelude { pub use kube::CustomResource; pub use serde::{Serialize, Deserialize}; pub use std::collections::BTreeMap; + pub use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString; } use self::prelude::*; @@ -119,6 +120,16 @@ pub struct ScrapeConfigSpec { /// MetricsPath HTTP path to scrape for metrics. If empty, Prometheus uses the default value (e.g. /metrics). #[serde(default, skip_serializing_if = "Option::is_none", rename = "metricsPath")] pub metrics_path: Option, + /// If there are more than this many buckets in a native histogram, + /// buckets will be merged to stay within the limit. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramBucketLimit")] + pub native_histogram_bucket_limit: Option, + /// If the growth factor of one bucket to the next is smaller than this, + /// buckets will be merged to increase the factor sufficiently. + /// It requires Prometheus >= v2.50.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nativeHistogramMinBucketFactor")] + pub native_histogram_min_bucket_factor: Option, /// `noProxy` is a comma-separated string that can contain IPs, CIDR notation, domain names /// that should be excluded from proxying. IP and domain names can /// contain port numbers. @@ -177,6 +188,10 @@ pub struct ScrapeConfigSpec { /// The scrape class to apply. #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClass")] pub scrape_class: Option, + /// Whether to scrape a classic histogram that is also exposed as a native histogram. + /// It requires Prometheus >= v2.45.0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeClassicHistograms")] + pub scrape_classic_histograms: Option, /// ScrapeInterval is the interval between consecutive scrapes. #[serde(default, skip_serializing_if = "Option::is_none", rename = "scrapeInterval")] pub scrape_interval: Option, diff --git a/kube-custom-resources-rs/src/opentelemetry_io/v1alpha1/instrumentations.rs b/kube-custom-resources-rs/src/opentelemetry_io/v1alpha1/instrumentations.rs index 6cb6f007e..c39e77c08 100644 --- a/kube-custom-resources-rs/src/opentelemetry_io/v1alpha1/instrumentations.rs +++ b/kube-custom-resources-rs/src/opentelemetry_io/v1alpha1/instrumentations.rs @@ -60,6 +60,8 @@ pub struct InstrumentationApacheHttpd { pub resource_requirements: Option, #[serde(default, skip_serializing_if = "Option::is_none")] pub version: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeLimitSize")] pub volume_limit_size: Option, } @@ -193,6 +195,91 @@ pub struct InstrumentationApacheHttpdResourceRequirementsClaims { pub request: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplate { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: InstrumentationApacheHttpdVolumeClaimTemplateSpec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplateSpec { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplateSpecDataSource { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplateSpecDataSourceRef { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplateSpecResources { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplateSpecSelector { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationApacheHttpdVolumeClaimTemplateSpecSelectorMatchExpressions { + pub key: String, + pub operator: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct InstrumentationDefaults { #[serde(default, skip_serializing_if = "Option::is_none", rename = "useLabelsForResourceAttributes")] @@ -207,6 +294,8 @@ pub struct InstrumentationDotnet { pub image: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceRequirements")] pub resource_requirements: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeLimitSize")] pub volume_limit_size: Option, } @@ -284,6 +373,91 @@ pub struct InstrumentationDotnetResourceRequirementsClaims { pub request: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplate { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: InstrumentationDotnetVolumeClaimTemplateSpec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplateSpec { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplateSpecDataSource { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplateSpecDataSourceRef { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplateSpecResources { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplateSpecSelector { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationDotnetVolumeClaimTemplateSpecSelectorMatchExpressions { + pub key: String, + pub operator: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct InstrumentationEnv { pub name: String, @@ -370,6 +544,8 @@ pub struct InstrumentationGo { pub image: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceRequirements")] pub resource_requirements: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeLimitSize")] pub volume_limit_size: Option, } @@ -447,6 +623,91 @@ pub struct InstrumentationGoResourceRequirementsClaims { pub request: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplate { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: InstrumentationGoVolumeClaimTemplateSpec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplateSpec { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplateSpecDataSource { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplateSpecDataSourceRef { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplateSpecResources { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplateSpecSelector { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationGoVolumeClaimTemplateSpecSelectorMatchExpressions { + pub key: String, + pub operator: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct InstrumentationJava { #[serde(default, skip_serializing_if = "Option::is_none")] @@ -457,6 +718,8 @@ pub struct InstrumentationJava { pub image: Option, #[serde(default, skip_serializing_if = "Option::is_none")] pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeLimitSize")] pub volume_limit_size: Option, } @@ -540,6 +803,91 @@ pub struct InstrumentationJavaResourcesClaims { pub request: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplate { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: InstrumentationJavaVolumeClaimTemplateSpec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplateSpec { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplateSpecDataSource { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplateSpecDataSourceRef { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplateSpecResources { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplateSpecSelector { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationJavaVolumeClaimTemplateSpecSelectorMatchExpressions { + pub key: String, + pub operator: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct InstrumentationNginx { #[serde(default, skip_serializing_if = "Option::is_none")] @@ -552,6 +900,8 @@ pub struct InstrumentationNginx { pub image: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceRequirements")] pub resource_requirements: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeLimitSize")] pub volume_limit_size: Option, } @@ -685,6 +1035,91 @@ pub struct InstrumentationNginxResourceRequirementsClaims { pub request: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplate { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: InstrumentationNginxVolumeClaimTemplateSpec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplateSpec { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplateSpecDataSource { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplateSpecDataSourceRef { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplateSpecResources { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplateSpecSelector { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNginxVolumeClaimTemplateSpecSelectorMatchExpressions { + pub key: String, + pub operator: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct InstrumentationNodejs { #[serde(default, skip_serializing_if = "Option::is_none")] @@ -693,6 +1128,8 @@ pub struct InstrumentationNodejs { pub image: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceRequirements")] pub resource_requirements: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeLimitSize")] pub volume_limit_size: Option, } @@ -770,6 +1207,91 @@ pub struct InstrumentationNodejsResourceRequirementsClaims { pub request: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplate { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: InstrumentationNodejsVolumeClaimTemplateSpec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplateSpec { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplateSpecDataSource { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplateSpecDataSourceRef { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplateSpecResources { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplateSpecSelector { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationNodejsVolumeClaimTemplateSpecSelectorMatchExpressions { + pub key: String, + pub operator: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct InstrumentationPython { #[serde(default, skip_serializing_if = "Option::is_none")] @@ -778,6 +1300,8 @@ pub struct InstrumentationPython { pub image: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceRequirements")] pub resource_requirements: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeLimitSize")] pub volume_limit_size: Option, } @@ -855,6 +1379,91 @@ pub struct InstrumentationPythonResourceRequirementsClaims { pub request: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplate { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: InstrumentationPythonVolumeClaimTemplateSpec, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplateSpec { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplateSpecDataSource { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplateSpecDataSourceRef { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + pub kind: String, + pub name: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplateSpecResources { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplateSpecSelector { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct InstrumentationPythonVolumeClaimTemplateSpecSelectorMatchExpressions { + pub key: String, + pub operator: String, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct InstrumentationResource { #[serde(default, skip_serializing_if = "Option::is_none", rename = "addK8sUIDAttributes")] diff --git a/kube-custom-resources-rs/src/opentelemetry_io/v1beta1/opentelemetrycollectors.rs b/kube-custom-resources-rs/src/opentelemetry_io/v1beta1/opentelemetrycollectors.rs index eece27c98..22b4c27e2 100644 --- a/kube-custom-resources-rs/src/opentelemetry_io/v1beta1/opentelemetrycollectors.rs +++ b/kube-custom-resources-rs/src/opentelemetry_io/v1beta1/opentelemetrycollectors.rs @@ -66,6 +66,8 @@ pub struct OpenTelemetryCollectorSpec { pub node_selector: Option>, #[serde(default, skip_serializing_if = "Option::is_none")] pub observability: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaimRetentionPolicy")] + pub persistent_volume_claim_retention_policy: Option, #[serde(default, skip_serializing_if = "Option::is_none", rename = "podAnnotations")] pub pod_annotations: Option>, #[serde(default, skip_serializing_if = "Option::is_none", rename = "podDisruptionBudget")] @@ -2021,6 +2023,14 @@ pub struct OpenTelemetryCollectorObservabilityMetrics { pub enable_metrics: Option, } +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct OpenTelemetryCollectorPersistentVolumeClaimRetentionPolicy { + #[serde(default, skip_serializing_if = "Option::is_none", rename = "whenDeleted")] + pub when_deleted: Option, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "whenScaled")] + pub when_scaled: Option, +} + #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct OpenTelemetryCollectorPodDisruptionBudget { #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxUnavailable")] diff --git a/kube-custom-resources-rs/src/operations_kubeedge_io/v1alpha1/nodeupgradejobs.rs b/kube-custom-resources-rs/src/operations_kubeedge_io/v1alpha1/nodeupgradejobs.rs index fadcff348..be2f03515 100644 --- a/kube-custom-resources-rs/src/operations_kubeedge_io/v1alpha1/nodeupgradejobs.rs +++ b/kube-custom-resources-rs/src/operations_kubeedge_io/v1alpha1/nodeupgradejobs.rs @@ -30,12 +30,18 @@ pub struct NodeUpgradeJobSpec { /// Image specifies a container image name, the image contains: keadm and edgecore. keadm is used as upgradetool, to install the new version of edgecore. The image name consists of registry hostname and repository name, if it includes the tag or digest, the tag or digest will be overwritten by Version field above. If the registry hostname is empty, docker.io will be used as default. The default image name is: kubeedge/installation-package. #[serde(default, skip_serializing_if = "Option::is_none")] pub image: Option, + /// ImageDigestGatter define registry v2 interface access configuration. As a transition, it is not required at first, and the image digest is checked when this field is set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "imageDigestGatter")] + pub image_digest_gatter: Option, /// LabelSelector is a filter to select member clusters by labels. It must match a node's labels for the NodeUpgradeJob to be operated on that node. Please note that sets of NodeNames and LabelSelector are ORed. Users must set one and can only set one. #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")] pub label_selector: Option, /// NodeNames is a request to select some specific nodes. If it is non-empty, the upgrade job simply select these edge nodes to do upgrade operation. Please note that sets of NodeNames and LabelSelector are ORed. Users must set one and can only set one. #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeNames")] pub node_names: Option>, + /// RequireConfirmation specifies whether you need to confirm the upgrade. The default RequireConfirmation value is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requireConfirmation")] + pub require_confirmation: Option, /// TimeoutSeconds limits the duration of the node upgrade job. Default to 300. If set to 0, we'll use the default value 300. #[serde(default, skip_serializing_if = "Option::is_none", rename = "timeoutSeconds")] pub timeout_seconds: Option, @@ -43,6 +49,24 @@ pub struct NodeUpgradeJobSpec { pub version: Option, } +/// ImageDigestGatter define registry v2 interface access configuration. As a transition, it is not required at first, and the image digest is checked when this field is set. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct NodeUpgradeJobImageDigestGatter { + /// RegistryAPI define registry v2 interface access configuration + #[serde(default, skip_serializing_if = "Option::is_none", rename = "registryAPI")] + pub registry_api: Option, + /// Value used to directly set a value to check image + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// RegistryAPI define registry v2 interface access configuration +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct NodeUpgradeJobImageDigestGatterRegistryApi { + pub host: String, + pub token: String, +} + /// LabelSelector is a filter to select member clusters by labels. It must match a node's labels for the NodeUpgradeJob to be operated on that node. Please note that sets of NodeNames and LabelSelector are ORed. Users must set one and can only set one. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct NodeUpgradeJobLabelSelector { diff --git a/kube-custom-resources-rs/src/org_eclipse_che/v2/checlusters.rs b/kube-custom-resources-rs/src/org_eclipse_che/v2/checlusters.rs index e7d682534..11a5bd52f 100644 --- a/kube-custom-resources-rs/src/org_eclipse_che/v2/checlusters.rs +++ b/kube-custom-resources-rs/src/org_eclipse_che/v2/checlusters.rs @@ -331,11 +331,13 @@ pub struct CheClusterComponentsCheServerProxy { /// A list of hosts that can be reached directly, bypassing the proxy. /// Specify wild card domain use the following form `.`, for example: /// - localhost + /// - 127.0.0.1 /// - my.host.com /// - 123.42.12.32 /// Use only when a proxy configuration is required. The Operator respects OpenShift cluster-wide proxy configuration, /// defining `nonProxyHosts` in a custom resource leads to merging non-proxy hosts lists from the cluster proxy configuration, and the ones defined in the custom resources. /// See the following page: https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html. + /// In some proxy configurations, localhost may not translate to 127.0.0.1. Both localhost and 127.0.0.1 should be specified in this situation. #[serde(default, skip_serializing_if = "Option::is_none", rename = "nonProxyHosts")] pub non_proxy_hosts: Option>, /// Proxy server port. @@ -3791,6 +3793,15 @@ pub struct CheClusterDevEnvironmentsTolerations { /// Trusted certificate settings. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct CheClusterDevEnvironmentsTrustedCerts { + /// By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap + /// containing the CA certificate bundle in users' workspaces at two locations: + /// '/public-certs' and '/etc/pki/ca-trust/extracted/pem'. + /// The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates + /// for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora). + /// This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory + /// while still mounting it to '/public-certs'. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disableWorkspaceCaBundleMount")] + pub disable_workspace_ca_bundle_mount: Option, /// The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git. /// See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/ /// The ConfigMap must have a `app.kubernetes.io/part-of=che.eclipse.org` label. diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs b/kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs index 8fdea3747..c2288b852 100644 --- a/kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs +++ b/kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs @@ -626,8 +626,8 @@ pub struct HTTPProxyRoutesLoadBalancerPolicyRequestHashPoliciesHeaderHashOptions /// HeaderName is the name of the HTTP request header that will be used to /// calculate the hash key. If the header specified is not present on a /// request, no hash will be produced. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] - pub header_name: Option, + #[serde(rename = "headerName")] + pub header_name: String, } /// QueryParameterHashOptions should be set when request query parameter hash based load @@ -638,8 +638,8 @@ pub struct HTTPProxyRoutesLoadBalancerPolicyRequestHashPoliciesQueryParameterHas /// ParameterName is the name of the HTTP request query parameter that will be used to /// calculate the hash key. If the query parameter specified is not present on a /// request, no hash will be produced. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "parameterName")] - pub parameter_name: Option, + #[serde(rename = "parameterName")] + pub parameter_name: String, } /// The policy for rewriting the path of the request URL @@ -705,8 +705,7 @@ pub struct HTTPProxyRoutesRateLimitPolicyGlobal { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptors { /// Entries is the list of key-value pair generators. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub entries: Option>, + pub entries: Vec, } /// RateLimitDescriptorEntry is a key-value pair generator. Exactly @@ -740,8 +739,7 @@ pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesGenericKey { #[serde(default, skip_serializing_if = "Option::is_none")] pub key: Option, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// RemoteAddress defines a descriptor entry with a key of "remote_address" @@ -756,11 +754,11 @@ pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesRemoteAddress { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesRequestHeader { /// DescriptorKey defines the key to use on the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] - pub descriptor_key: Option, + #[serde(rename = "descriptorKey")] + pub descriptor_key: String, /// HeaderName defines the name of the header to look for on the request. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] - pub header_name: Option, + #[serde(rename = "headerName")] + pub header_name: String, } /// RequestHeaderValueMatch defines a descriptor entry that's populated @@ -779,8 +777,7 @@ pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesRequestHeaderVa #[serde(default, skip_serializing_if = "Option::is_none")] pub headers: Option>, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// HeaderMatchCondition specifies how to conditionally match against HTTP @@ -1353,8 +1350,8 @@ pub struct HTTPProxyTcpproxyLoadBalancerPolicyRequestHashPoliciesHeaderHashOptio /// HeaderName is the name of the HTTP request header that will be used to /// calculate the hash key. If the header specified is not present on a /// request, no hash will be produced. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] - pub header_name: Option, + #[serde(rename = "headerName")] + pub header_name: String, } /// QueryParameterHashOptions should be set when request query parameter hash based load @@ -1365,8 +1362,8 @@ pub struct HTTPProxyTcpproxyLoadBalancerPolicyRequestHashPoliciesQueryParameterH /// ParameterName is the name of the HTTP request query parameter that will be used to /// calculate the hash key. If the query parameter specified is not present on a /// request, no hash will be produced. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "parameterName")] - pub parameter_name: Option, + #[serde(rename = "parameterName")] + pub parameter_name: String, } /// Service defines an Kubernetes Service to proxy traffic. @@ -1886,8 +1883,7 @@ pub struct HTTPProxyVirtualhostRateLimitPolicyGlobal { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptors { /// Entries is the list of key-value pair generators. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub entries: Option>, + pub entries: Vec, } /// RateLimitDescriptorEntry is a key-value pair generator. Exactly @@ -1921,8 +1917,7 @@ pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesGenericKey #[serde(default, skip_serializing_if = "Option::is_none")] pub key: Option, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// RemoteAddress defines a descriptor entry with a key of "remote_address" @@ -1937,11 +1932,11 @@ pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesRemoteAddr #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesRequestHeader { /// DescriptorKey defines the key to use on the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] - pub descriptor_key: Option, + #[serde(rename = "descriptorKey")] + pub descriptor_key: String, /// HeaderName defines the name of the header to look for on the request. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] - pub header_name: Option, + #[serde(rename = "headerName")] + pub header_name: String, } /// RequestHeaderValueMatch defines a descriptor entry that's populated @@ -1960,8 +1955,7 @@ pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesRequestHea #[serde(default, skip_serializing_if = "Option::is_none")] pub headers: Option>, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// HeaderMatchCondition specifies how to conditionally match against HTTP @@ -2258,10 +2252,7 @@ pub struct HTTPProxyStatusLoadBalancerIngressPorts { /// CamelCase names /// - cloud provider specific error values must have names that comply with the /// format foo.example.com/CamelCase. - /// --- - /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - #[serde(default, skip_serializing_if = "Option::is_none")] - pub error: Option, + pub error: String, /// Port is the port number of the service port of which status is recorded here pub port: i32, /// Protocol is the protocol of the service port of which status is recorded here diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs index 81459f57e..60b8018b8 100644 --- a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs +++ b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs @@ -851,8 +851,7 @@ pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicy { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptors { /// Entries is the list of key-value pair generators. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub entries: Option>, + pub entries: Vec, } /// RateLimitDescriptorEntry is a key-value pair generator. Exactly @@ -886,8 +885,7 @@ pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescr #[serde(default, skip_serializing_if = "Option::is_none")] pub key: Option, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// RemoteAddress defines a descriptor entry with a key of "remote_address" @@ -902,11 +900,11 @@ pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescr #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeader { /// DescriptorKey defines the key to use on the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] - pub descriptor_key: Option, + #[serde(rename = "descriptorKey")] + pub descriptor_key: String, /// HeaderName defines the name of the header to look for on the request. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] - pub header_name: Option, + #[serde(rename = "headerName")] + pub header_name: String, } /// RequestHeaderValueMatch defines a descriptor entry that's populated @@ -925,8 +923,7 @@ pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescr #[serde(default, skip_serializing_if = "Option::is_none")] pub headers: Option>, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// HeaderMatchCondition specifies how to conditionally match against HTTP diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs index b756e07b1..0adf33205 100644 --- a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs +++ b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs @@ -108,9 +108,6 @@ pub struct ContourDeploymentContourDeployment { pub struct ContourDeploymentContourDeploymentStrategy { /// Rolling update config params. Present only if DeploymentStrategyType = /// RollingUpdate. - /// --- - /// TODO: Update this to follow our convention for oneOf, whatever we decide it - /// to be. #[serde(default, skip_serializing_if = "Option::is_none", rename = "rollingUpdate")] pub rolling_update: Option, /// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. @@ -120,9 +117,6 @@ pub struct ContourDeploymentContourDeploymentStrategy { /// Rolling update config params. Present only if DeploymentStrategyType = /// RollingUpdate. -/// --- -/// TODO: Update this to follow our convention for oneOf, whatever we decide it -/// to be. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentContourDeploymentStrategyRollingUpdate { /// The maximum number of pods that can be scheduled above the desired number of @@ -234,6 +228,11 @@ pub struct ContourDeploymentContourResourcesClaims { /// the Pod where this field is used. It makes that resource available /// inside a container. pub name: String, + /// Request is the name chosen for a request in the referenced claim. + /// If empty, everything from the claim is made available, otherwise + /// only the result of this request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } /// Envoy specifies deployment-time settings for the Envoy @@ -316,10 +315,6 @@ pub struct ContourDeploymentEnvoyDaemonSet { #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentEnvoyDaemonSetUpdateStrategy { /// Rolling update config params. Present only if type = "RollingUpdate". - /// --- - /// TODO: Update this to follow our convention for oneOf, whatever we decide it - /// to be. Same as Deployment `strategy.rollingUpdate`. - /// See https://github.com/kubernetes/kubernetes/issues/35345 #[serde(default, skip_serializing_if = "Option::is_none", rename = "rollingUpdate")] pub rolling_update: Option, /// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. @@ -328,10 +323,6 @@ pub struct ContourDeploymentEnvoyDaemonSetUpdateStrategy { } /// Rolling update config params. Present only if type = "RollingUpdate". -/// --- -/// TODO: Update this to follow our convention for oneOf, whatever we decide it -/// to be. Same as Deployment `strategy.rollingUpdate`. -/// See https://github.com/kubernetes/kubernetes/issues/35345 #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentEnvoyDaemonSetUpdateStrategyRollingUpdate { /// The maximum number of nodes with an existing available DaemonSet pod that @@ -389,9 +380,6 @@ pub struct ContourDeploymentEnvoyDeployment { pub struct ContourDeploymentEnvoyDeploymentStrategy { /// Rolling update config params. Present only if DeploymentStrategyType = /// RollingUpdate. - /// --- - /// TODO: Update this to follow our convention for oneOf, whatever we decide it - /// to be. #[serde(default, skip_serializing_if = "Option::is_none", rename = "rollingUpdate")] pub rolling_update: Option, /// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. @@ -401,9 +389,6 @@ pub struct ContourDeploymentEnvoyDeploymentStrategy { /// Rolling update config params. Present only if DeploymentStrategyType = /// RollingUpdate. -/// --- -/// TODO: Update this to follow our convention for oneOf, whatever we decide it -/// to be. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentEnvoyDeploymentStrategyRollingUpdate { /// The maximum number of pods that can be scheduled above the desired number of @@ -566,11 +551,22 @@ pub struct ContourDeploymentEnvoyExtraVolumes { /// used for system agents or other privileged things that are allowed /// to see the host machine. Most containers will NOT need this. /// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - /// --- - /// TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not - /// mount host directories as read/write. #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostPath")] pub host_path: Option, + /// image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + /// The volume is resolved at pod startup depending on which PullPolicy value is provided: + /// - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + /// - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + /// - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + /// The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + /// A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + /// The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + /// The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + /// The volume will be mounted read-only (ro) and non-executable files (noexec). + /// Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + /// The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub image: Option, /// iscsi represents an ISCSI Disk resource that is attached to a /// kubelet's host machine and then exposed to the pod. /// More info: https://examples.k8s.io/volumes/iscsi/README.md @@ -629,7 +625,6 @@ pub struct ContourDeploymentEnvoyExtraVolumesAwsElasticBlockStore { /// Tip: Ensure that the filesystem type is supported by the host operating system. /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. /// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - /// TODO: how do we prevent errors in the filesystem from compromising the machine #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] pub fs_type: Option, /// partition is the partition in the volume that you want to mount. @@ -725,9 +720,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesCephfsSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -765,9 +758,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesCinderSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -797,9 +788,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesConfigMap { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, /// optional specify whether the ConfigMap or its keys must be defined @@ -866,9 +855,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesCsiNodePublishSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -1111,7 +1098,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpec { /// set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource /// exists. /// More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - /// (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + /// (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] pub volume_attributes_class_name: Option, /// volumeMode defines what type of volume is required by the claim. @@ -1240,7 +1227,6 @@ pub struct ContourDeploymentEnvoyExtraVolumesFc { /// fsType is the filesystem type to mount. /// Must be a filesystem type supported by the host operating system. /// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - /// TODO: how do we prevent errors in the filesystem from compromising the machine #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] pub fs_type: Option, /// lun is Optional: FC target lun number @@ -1297,9 +1283,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesFlexVolumeSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -1325,7 +1309,6 @@ pub struct ContourDeploymentEnvoyExtraVolumesGcePersistentDisk { /// Tip: Ensure that the filesystem type is supported by the host operating system. /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. /// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - /// TODO: how do we prevent errors in the filesystem from compromising the machine #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] pub fs_type: Option, /// partition is the partition in the volume that you want to mount. @@ -1387,9 +1370,6 @@ pub struct ContourDeploymentEnvoyExtraVolumesGlusterfs { /// used for system agents or other privileged things that are allowed /// to see the host machine. Most containers will NOT need this. /// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath -/// --- -/// TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not -/// mount host directories as read/write. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentEnvoyExtraVolumesHostPath { /// path of the directory on the host. @@ -1403,6 +1383,37 @@ pub struct ContourDeploymentEnvoyExtraVolumesHostPath { pub r#type: Option, } +/// image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. +/// The volume is resolved at pod startup depending on which PullPolicy value is provided: +/// - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. +/// - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. +/// - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. +/// The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. +/// A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. +/// The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. +/// The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. +/// The volume will be mounted read-only (ro) and non-executable files (noexec). +/// Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). +/// The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. +#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesImage { + /// Policy for pulling OCI objects. Possible values are: + /// Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + /// Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + /// IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + /// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "pullPolicy")] + pub pull_policy: Option, + /// Required: Image or artifact reference to be used. + /// Behaves in the same way as pod.spec.containers[*].image. + /// Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + /// More info: https://kubernetes.io/docs/concepts/containers/images + /// This field is optional to allow higher level config management to default or override + /// container images in workload controllers like Deployments and StatefulSets. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub reference: Option, +} + /// iscsi represents an ISCSI Disk resource that is attached to a /// kubelet's host machine and then exposed to the pod. /// More info: https://examples.k8s.io/volumes/iscsi/README.md @@ -1418,7 +1429,6 @@ pub struct ContourDeploymentEnvoyExtraVolumesIscsi { /// Tip: Ensure that the filesystem type is supported by the host operating system. /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. /// More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - /// TODO: how do we prevent errors in the filesystem from compromising the machine #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] pub fs_type: Option, /// initiatorName is the custom iSCSI Initiator Name. @@ -1458,9 +1468,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesIscsiSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -1538,12 +1546,14 @@ pub struct ContourDeploymentEnvoyExtraVolumesProjected { /// mode, like fsGroup, and the result can be other mode bits set. #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] pub default_mode: Option, - /// sources is the list of volume projections + /// sources is the list of volume projections. Each entry in this list + /// handles one source. #[serde(default, skip_serializing_if = "Option::is_none")] pub sources: Option>, } -/// Projection that may be projected along with other supported volume types +/// Projection that may be projected along with other supported volume types. +/// Exactly one of these fields must be set. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentEnvoyExtraVolumesProjectedSources { /// ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field @@ -1659,9 +1669,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesConfigMap { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, /// optional specify whether the ConfigMap or its keys must be defined @@ -1760,9 +1768,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesSecret { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, /// optional field specify whether the Secret or its key must be defined @@ -1847,7 +1853,6 @@ pub struct ContourDeploymentEnvoyExtraVolumesRbd { /// Tip: Ensure that the filesystem type is supported by the host operating system. /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. /// More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - /// TODO: how do we prevent errors in the filesystem from compromising the machine #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] pub fs_type: Option, /// image is the rados image name. @@ -1894,9 +1899,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesRbdSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -1949,9 +1952,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesScaleIoSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -2045,9 +2046,7 @@ pub struct ContourDeploymentEnvoyExtraVolumesStorageosSecretRef { /// This field is effectively required, but due to backwards compatibility is /// allowed to be empty. Instances of this type with an empty value here are /// almost certainly wrong. - /// TODO: Add other useful fields. apiVersion, kind, uid? /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - /// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. #[serde(default, skip_serializing_if = "Option::is_none")] pub name: Option, } @@ -2199,6 +2198,11 @@ pub struct ContourDeploymentEnvoyResourcesClaims { /// the Pod where this field is used. It makes that resource available /// inside a container. pub name: String, + /// Request is the name chosen for a request in the referenced claim. + /// If empty, everything from the claim is made available, otherwise + /// only the result of this request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub request: Option, } /// RuntimeSettings is a ContourConfiguration spec to be used when @@ -3035,8 +3039,7 @@ pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimi #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptors { /// Entries is the list of key-value pair generators. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub entries: Option>, + pub entries: Vec, } /// RateLimitDescriptorEntry is a key-value pair generator. Exactly @@ -3070,8 +3073,7 @@ pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimi #[serde(default, skip_serializing_if = "Option::is_none")] pub key: Option, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// RemoteAddress defines a descriptor entry with a key of "remote_address" @@ -3086,11 +3088,11 @@ pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimi #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeader { /// DescriptorKey defines the key to use on the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] - pub descriptor_key: Option, + #[serde(rename = "descriptorKey")] + pub descriptor_key: String, /// HeaderName defines the name of the header to look for on the request. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] - pub header_name: Option, + #[serde(rename = "headerName")] + pub header_name: String, } /// RequestHeaderValueMatch defines a descriptor entry that's populated @@ -3109,8 +3111,7 @@ pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimi #[serde(default, skip_serializing_if = "Option::is_none")] pub headers: Option>, /// Value defines the value of the descriptor entry. - #[serde(default, skip_serializing_if = "Option::is_none")] - pub value: Option, + pub value: String, } /// HeaderMatchCondition specifies how to conditionally match against HTTP diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs index cc70d85b5..df07bc1e4 100644 --- a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs +++ b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs @@ -133,8 +133,8 @@ pub struct ExtensionServiceLoadBalancerPolicyRequestHashPoliciesHeaderHashOption /// HeaderName is the name of the HTTP request header that will be used to /// calculate the hash key. If the header specified is not present on a /// request, no hash will be produced. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] - pub header_name: Option, + #[serde(rename = "headerName")] + pub header_name: String, } /// QueryParameterHashOptions should be set when request query parameter hash based load @@ -145,8 +145,8 @@ pub struct ExtensionServiceLoadBalancerPolicyRequestHashPoliciesQueryParameterHa /// ParameterName is the name of the HTTP request query parameter that will be used to /// calculate the hash key. If the query parameter specified is not present on a /// request, no hash will be produced. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "parameterName")] - pub parameter_name: Option, + #[serde(rename = "parameterName")] + pub parameter_name: String, } /// ExtensionServiceSpec defines the desired state of an ExtensionService resource. diff --git a/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/scheduledsparkapplications.rs b/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/scheduledsparkapplications.rs index f51fb54d8..7494ad96b 100644 --- a/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/scheduledsparkapplications.rs +++ b/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/scheduledsparkapplications.rs @@ -90,8 +90,8 @@ pub struct ScheduledSparkApplicationTemplate { #[serde(default, skip_serializing_if = "Option::is_none", rename = "imagePullSecrets")] pub image_pull_secrets: Option>, /// MainFile is the path to a bundled JAR, Python, or R file of the application. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "mainApplicationFile")] - pub main_application_file: Option, + #[serde(rename = "mainApplicationFile")] + pub main_application_file: String, /// MainClass is the fully-qualified main class of the Spark application. /// This only applies to Java/Scala Spark applications. #[serde(default, skip_serializing_if = "Option::is_none", rename = "mainClass")] @@ -320,6 +320,11 @@ pub struct ScheduledSparkApplicationTemplateDriver { /// Sidecars is a list of sidecar containers that run along side the main Spark container. #[serde(default, skip_serializing_if = "Option::is_none")] pub sidecars: Option>, + /// Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support. + /// Spark version >= 3.0.0 is required. + /// Ref: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub template: Option>, /// Termination grace period seconds for the pod #[serde(default, skip_serializing_if = "Option::is_none", rename = "terminationGracePeriodSeconds")] pub termination_grace_period_seconds: Option, @@ -4357,6 +4362,11 @@ pub struct ScheduledSparkApplicationTemplateExecutor { /// Sidecars is a list of sidecar containers that run along side the main Spark container. #[serde(default, skip_serializing_if = "Option::is_none")] pub sidecars: Option>, + /// Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support. + /// Spark version >= 3.0.0 is required. + /// Ref: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub template: Option>, /// Termination grace period seconds for the pod #[serde(default, skip_serializing_if = "Option::is_none", rename = "terminationGracePeriodSeconds")] pub termination_grace_period_seconds: Option, @@ -8936,6 +8946,16 @@ pub struct ScheduledSparkApplicationTemplateVolumesEphemeralVolumeClaimTemplate /// validation. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct ScheduledSparkApplicationTemplateVolumesEphemeralVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, } /// The specification for the PersistentVolumeClaim. The entire content is diff --git a/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/sparkapplications.rs b/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/sparkapplications.rs index 70e05e505..024589e27 100644 --- a/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/sparkapplications.rs +++ b/kube-custom-resources-rs/src/sparkoperator_k8s_io/v1beta2/sparkapplications.rs @@ -67,8 +67,8 @@ pub struct SparkApplicationSpec { #[serde(default, skip_serializing_if = "Option::is_none", rename = "imagePullSecrets")] pub image_pull_secrets: Option>, /// MainFile is the path to a bundled JAR, Python, or R file of the application. - #[serde(default, skip_serializing_if = "Option::is_none", rename = "mainApplicationFile")] - pub main_application_file: Option, + #[serde(rename = "mainApplicationFile")] + pub main_application_file: String, /// MainClass is the fully-qualified main class of the Spark application. /// This only applies to Java/Scala Spark applications. #[serde(default, skip_serializing_if = "Option::is_none", rename = "mainClass")] @@ -297,6 +297,11 @@ pub struct SparkApplicationDriver { /// Sidecars is a list of sidecar containers that run along side the main Spark container. #[serde(default, skip_serializing_if = "Option::is_none")] pub sidecars: Option>, + /// Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support. + /// Spark version >= 3.0.0 is required. + /// Ref: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub template: Option>, /// Termination grace period seconds for the pod #[serde(default, skip_serializing_if = "Option::is_none", rename = "terminationGracePeriodSeconds")] pub termination_grace_period_seconds: Option, @@ -4334,6 +4339,11 @@ pub struct SparkApplicationExecutor { /// Sidecars is a list of sidecar containers that run along side the main Spark container. #[serde(default, skip_serializing_if = "Option::is_none")] pub sidecars: Option>, + /// Template is a pod template that can be used to define the driver or executor pod configurations that Spark configurations do not support. + /// Spark version >= 3.0.0 is required. + /// Ref: https://spark.apache.org/docs/latest/running-on-kubernetes.html#pod-template. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub template: Option>, /// Termination grace period seconds for the pod #[serde(default, skip_serializing_if = "Option::is_none", rename = "terminationGracePeriodSeconds")] pub termination_grace_period_seconds: Option, @@ -8916,6 +8926,16 @@ pub struct SparkApplicationVolumesEphemeralVolumeClaimTemplate { /// validation. #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)] pub struct SparkApplicationVolumesEphemeralVolumeClaimTemplateMetadata { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub annotations: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub finalizers: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub labels: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, } /// The specification for the PersistentVolumeClaim. The entire content is diff --git a/kube-custom-resources-rs/src/tempo_grafana_com/v1alpha1/tempostacks.rs b/kube-custom-resources-rs/src/tempo_grafana_com/v1alpha1/tempostacks.rs index f77f379f5..c2610a4b0 100644 --- a/kube-custom-resources-rs/src/tempo_grafana_com/v1alpha1/tempostacks.rs +++ b/kube-custom-resources-rs/src/tempo_grafana_com/v1alpha1/tempostacks.rs @@ -101,6 +101,21 @@ pub struct TempoStackHashRingMemberlist { /// EnableIPv6 enables IPv6 support for the memberlist based hash ring. #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableIPv6")] pub enable_i_pv6: Option, + /// InstanceAddrType defines the type of address to use to advertise to the ring. + /// Defaults to the first address from any private network interfaces of the current pod. + /// Alternatively the public pod IP can be used in case private networks (RFC 1918 and RFC 6598) + /// are not available. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "instanceAddrType")] + pub instance_addr_type: Option, +} + +/// MemberList configuration spec +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum TempoStackHashRingMemberlistInstanceAddrType { + #[serde(rename = "default")] + Default, + #[serde(rename = "podIP")] + PodIp, } /// Images defines the image for each container. diff --git a/kube-custom-resources-rs/src/tinkerbell_org/v1alpha1/hardware.rs b/kube-custom-resources-rs/src/tinkerbell_org/v1alpha1/hardware.rs index cc3a741ce..106dff6c0 100644 --- a/kube-custom-resources-rs/src/tinkerbell_org/v1alpha1/hardware.rs +++ b/kube-custom-resources-rs/src/tinkerbell_org/v1alpha1/hardware.rs @@ -76,6 +76,9 @@ pub struct HardwareInterfaces { /// DHCP configuration. #[serde(default, skip_serializing_if = "Option::is_none")] pub dhcp: Option, + /// DisableDHCP disables DHCP for this interface. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disableDhcp")] + pub disable_dhcp: Option, /// Netboot configuration. #[serde(default, skip_serializing_if = "Option::is_none")] pub netboot: Option,