diff --git a/Makefile b/Makefile index 0b3f176452..32efb7d8ce 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \ # # Example: # make check -check: | verify test-unit +check: | verify verify-bindata test-unit .PHONY: check IMAGE_REGISTRY?=registry.svc.ci.openshift.org @@ -86,3 +86,16 @@ export TP_CMD_PATH ?=./cmd/authentication-operator export TP_CMD_ARGS ?=operator --config=/var/run/configmaps/config/operator-config.yaml --v=2 --terminate-on-files=/var/run/configmaps/trusted-ca-bundle/ca-bundle.crt export TP_LOCK_CONFIGMAP ?=cluster-authentication-operator-lock export TP_BUILD_FLAGS ?=-tags ocp + +# ensure the rolebindingrestriction CRD is included in bindata +RBR_CRD_SOURCE := vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/0000_03_config-operator_01_rolebindingrestrictions.crd.yaml +RBR_CRD_TARGET := bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml +update-bindata: $(RBR_CRD_TARGET) +$(RBR_CRD_TARGET): $(RBR_CRD_SOURCE) + cp $< $@ + +verify-bindata: verify-rbr-crd +.PHONY: verify-bindata + +verify-rbr-crd: + diff -Naup $(RBR_CRD_SOURCE) $(RBR_CRD_TARGET) diff --git a/bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml b/bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml new file mode 100644 index 0000000000..275e90aeec --- /dev/null +++ b/bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml @@ -0,0 +1,225 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + name: rolebindingrestrictions.authorization.openshift.io +spec: + group: authorization.openshift.io + names: + kind: RoleBindingRestriction + listKind: RoleBindingRestrictionList + plural: rolebindingrestrictions + singular: rolebindingrestriction + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + RoleBindingRestriction is an object that can be matched against a subject + (user, group, or service account) to determine whether rolebindings on that + subject are allowed in the namespace to which the RoleBindingRestriction + belongs. If any one of those RoleBindingRestriction objects matches + a subject, rolebindings on that subject in the namespace are allowed. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the matcher. + properties: + grouprestriction: + description: grouprestriction matches against group subjects. + nullable: true + properties: + groups: + description: |- + groups is a list of groups used to match against an individual user's + groups. If the user is a member of one of the whitelisted groups, the user + is allowed to be bound to a role. + items: + type: string + nullable: true + type: array + labels: + description: Selectors specifies a list of label selectors over + group labels. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + type: object + serviceaccountrestriction: + description: serviceaccountrestriction matches against service-account + subjects. + nullable: true + properties: + namespaces: + description: namespaces specifies a list of literal namespace + names. + items: + type: string + type: array + serviceaccounts: + description: serviceaccounts specifies a list of literal service-account + names. + items: + description: |- + ServiceAccountReference specifies a service account and namespace by their + names. + properties: + name: + description: name is the name of the service account. + type: string + namespace: + description: |- + namespace is the namespace of the service account. Service accounts from + inside the whitelisted namespaces are allowed to be bound to roles. If + Namespace is empty, then the namespace of the RoleBindingRestriction in + which the ServiceAccountReference is embedded is used. + type: string + type: object + type: array + type: object + userrestriction: + description: userrestriction matches against user subjects. + nullable: true + properties: + groups: + description: groups specifies a list of literal group names. + items: + type: string + nullable: true + type: array + labels: + description: Selectors specifies a list of label selectors over + user labels. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + users: + description: users specifies a list of literal user names. + items: + type: string + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/cmd/authentication-operator/main.go b/cmd/authentication-operator/main.go index 16496edc59..f755969470 100644 --- a/cmd/authentication-operator/main.go +++ b/cmd/authentication-operator/main.go @@ -5,6 +5,7 @@ import ( "github.com/openshift/cluster-authentication-operator/pkg/cmd/mom" "github.com/openshift/cluster-authentication-operator/pkg/cmd/operator" + "github.com/openshift/cluster-authentication-operator/pkg/cmd/render" "github.com/spf13/cobra" "k8s.io/cli-runtime/pkg/genericiooptions" "k8s.io/component-base/cli" @@ -34,6 +35,7 @@ func NewAuthenticationOperatorCommand() *cobra.Command { cmd.AddCommand(mom.NewApplyConfigurationCommand(ioStreams)) cmd.AddCommand(mom.NewInputResourcesCommand(ioStreams)) cmd.AddCommand(mom.NewOutputResourcesCommand(ioStreams)) + cmd.AddCommand(render.NewRender()) return cmd } diff --git a/go.mod b/go.mod index 49d1f24d38..ad31faa531 100644 --- a/go.mod +++ b/go.mod @@ -12,11 +12,13 @@ require ( github.com/openshift/library-go v0.0.0-20250113163708-355465391f40 github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d github.com/spf13/cobra v1.8.1 + github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 go.etcd.io/etcd/client/v3 v3.5.14 golang.org/x/net v0.29.0 gopkg.in/yaml.v2 v2.4.0 k8s.io/api v0.31.1 + k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 k8s.io/apiserver v0.31.1 k8s.io/cli-runtime v0.31.1 @@ -81,7 +83,6 @@ require ( github.com/robfig/cron v1.2.0 // indirect github.com/shopspring/decimal v1.3.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect - github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect github.com/x448/float16 v0.8.4 // indirect go.etcd.io/etcd/api/v3 v3.5.14 // indirect @@ -113,7 +114,6 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.31.1 // indirect k8s.io/kms v0.31.1 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect diff --git a/pkg/cmd/mom/input_resources_command.go b/pkg/cmd/mom/input_resources_command.go index fd9d778774..1ac4abcdf9 100644 --- a/pkg/cmd/mom/input_resources_command.go +++ b/pkg/cmd/mom/input_resources_command.go @@ -5,6 +5,7 @@ import ( "github.com/openshift/multi-operator-manager/pkg/library/libraryinputresources" "github.com/spf13/cobra" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/cli-runtime/pkg/genericiooptions" ) @@ -63,6 +64,7 @@ func runInputResources(ctx context.Context) (*libraryinputresources.InputResourc libraryinputresources.ExactServiceAccount("openshift-authentication", "oauth-openshift"), libraryinputresources.ExactRoleBinding("openshift-config-managed", "system:openshift:oauth-servercert-trust"), libraryinputresources.ExactRole("openshift-config-managed", "system:openshift:oauth-servercert-trust"), + libraryinputresources.ExactResource(apiextensionsv1.SchemeGroupVersion.Group, apiextensionsv1.SchemeGroupVersion.Version, "customresourcedefinitions", "", "rolebindingrestrictions.authorization.openshift.io"), }, }, }, nil diff --git a/pkg/cmd/mom/output_resources_command.go b/pkg/cmd/mom/output_resources_command.go index 099aed7db2..23c0dbc304 100644 --- a/pkg/cmd/mom/output_resources_command.go +++ b/pkg/cmd/mom/output_resources_command.go @@ -5,6 +5,7 @@ import ( "github.com/openshift/multi-operator-manager/pkg/library/libraryoutputresources" "github.com/spf13/cobra" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/cli-runtime/pkg/genericiooptions" ) @@ -56,6 +57,8 @@ func runOutputResources(ctx context.Context) (*libraryoutputresources.OutputReso // these are used to access resources in the user workload cluster libraryoutputresources.ExactServiceAccount("openshift-oauth-apiserver", "oauth-apiserver-sa"), libraryoutputresources.ExactService("openshift-oauth-apiserver", "api"), + + libraryoutputresources.ExactResource(apiextensionsv1.SchemeGroupVersion.Group, apiextensionsv1.SchemeGroupVersion.Version, "customresourcedefinitions", "", "rolebindingrestrictions.authorization.openshift.io"), }, GeneratedNameResources: []libraryoutputresources.GeneratedResourceID{ libraryoutputresources.GeneratedCSR("system:openshift:openshift-authenticator-"), diff --git a/pkg/cmd/render/render.go b/pkg/cmd/render/render.go new file mode 100644 index 0000000000..101738dd8d --- /dev/null +++ b/pkg/cmd/render/render.go @@ -0,0 +1,85 @@ +package render + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/openshift/cluster-authentication-operator/bindata" + "github.com/openshift/library-go/pkg/operator/resource/resourceapply" + "github.com/spf13/cobra" + "github.com/spf13/pflag" +) + +const ( + FileModeDirectoryDefault os.FileMode = 0755 + FileModeFileDefault os.FileMode = 0644 +) + +type RenderOptions struct { + AssetOutputDir string + RenderedManifestDir string + ClusterProfile string + PayloadVersion string + Assets resourceapply.AssetFunc + AssetsToRender []string +} + +func (ro *RenderOptions) AddFlags(fs *pflag.FlagSet) { + fs.StringVar(&ro.AssetOutputDir, "asset-output-dir", ro.AssetOutputDir, "Output path for rendered manifests.") + + // Note: Currently these values are unused, but exist to support potential future addition of + // feature-gate aware renderer functionality. Not providing these input-based flags from the beginning + // and adding them later may break users using older versions of the openshift installer to install. + // newer versions of openshift clusters. While we don't technically support this, including the input-based flags + // now reduces our support burden in these cases. + fs.StringVar(&ro.RenderedManifestDir, "rendered-manifest-dir", ro.RenderedManifestDir, "directory containing yaml or json manifests that will be created via cluster-bootstrapping") + fs.StringVar(&ro.ClusterProfile, "cluster-profile", ro.ClusterProfile, "self-managed-high-availability, single-node-developer, ibm-cloud-managed") + fs.StringVar(&ro.PayloadVersion, "payload-version", ro.PayloadVersion, "Version that will eventually be placed into ClusterOperator.status. This normally comes from the CVO set via env var: OPERATOR_IMAGE_VERSION.") +} + +func (ro *RenderOptions) Run() error { + err := os.MkdirAll(ro.AssetOutputDir, FileModeDirectoryDefault) + if err != nil { + return fmt.Errorf("creating asset-output-dir: %w", err) + } + + for _, assetToRender := range ro.AssetsToRender { + asset, err := ro.Assets(assetToRender) + if err != nil { + return fmt.Errorf("getting asset %q to be rendered: %w", assetToRender, err) + } + + filename := filepath.Join(ro.AssetOutputDir, filepath.Base(assetToRender)) + err = os.WriteFile(filename, asset, FileModeFileDefault) + if err != nil { + return fmt.Errorf("rendering asset %q to file %q: %w ", assetToRender, filename, err) + } + } + + return nil +} + +// NewRender returns a cobra command responsible +// for rendering bootstrap manifests required by the +// cluster-authentication-operator +func NewRender() *cobra.Command { + renderOpts := &RenderOptions{ + Assets: bindata.Asset, + AssetsToRender: []string{ + "oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml", + }, + } + + renderCmd := &cobra.Command{ + Use: "render", + Short: "render bootstrap manifests", + RunE: func(cmd *cobra.Command, args []string) error { + return renderOpts.Run() + }, + } + + renderOpts.AddFlags(renderCmd.Flags()) + + return renderCmd +} diff --git a/pkg/cmd/render/render_test.go b/pkg/cmd/render/render_test.go new file mode 100644 index 0000000000..3512bf5424 --- /dev/null +++ b/pkg/cmd/render/render_test.go @@ -0,0 +1,92 @@ +package render_test + +import ( + "bytes" + "errors" + "io" + "os" + "path/filepath" + "strings" + "testing" + + "github.com/openshift/cluster-authentication-operator/pkg/cmd/render" + "github.com/openshift/library-go/pkg/operator/resource/resourceapply" +) + +func TestRenderOptionsRun(t *testing.T) { + type testcase struct { + name string + assets resourceapply.AssetFunc + assetsToRender []string + expectedErr error + expectedAssets map[string][]byte + } + + testcases := []testcase{ + { + name: "asset-output-dir can be created, fetching asset fails, error", + assets: func(name string) ([]byte, error) { + return nil, errors.New("boom") + }, + assetsToRender: []string{ + "foobar", + }, + expectedAssets: make(map[string][]byte), + expectedErr: errors.New("getting asset \"foobar\" to be rendered:"), + }, + { + name: "asset-output-dir can be created, fetching asset successful, no error, manifest rendered successfully", + assets: func(name string) ([]byte, error) { + return []byte("baz"), nil + }, + assetsToRender: []string{ + "foobar", + }, + expectedAssets: map[string][]byte{ + "foobar": []byte("baz"), + }, + expectedErr: nil, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + tempDir := t.TempDir() + renderOpts := &render.RenderOptions{ + AssetOutputDir: tempDir, + Assets: tc.assets, + AssetsToRender: tc.assetsToRender, + } + err := renderOpts.Run() + switch { + case err != nil && tc.expectedErr != nil: + if !strings.Contains(err.Error(), tc.expectedErr.Error()) { + t.Fatalf("received error %q does not contain expected error substring %q", err.Error(), tc.expectedErr.Error()) + } + case err != nil && tc.expectedErr == nil: + t.Fatalf("received unexpected error %v", err) + case err == nil && tc.expectedErr != nil: + t.Fatalf("expected and error containing substring %q but did not receive an error", tc.expectedErr.Error()) + } + + for path, contents := range tc.expectedAssets { + file, err := os.Open(filepath.Join(tempDir, path)) + if err != nil { + if os.IsNotExist(err) { + t.Fatalf("expected rendered manifest %q to exist in filesystem but it does not", path) + } + t.Fatalf("received unexpected error when checking for existence of rendered manifest %q in filesystem: %v", path, err) + } + + fileContents, err := io.ReadAll(file) + if err != nil { + t.Fatalf("received unexpected error when reading contents of file %q: %v", path, err) + } + + if !bytes.Equal(fileContents, contents) { + t.Fatalf("contents for rendered manifest %q do not match the expected. Rendered contents: %v, expected: %v", path, string(fileContents), string(contents)) + } + } + }) + } +} diff --git a/pkg/dependencymagnet/dependencymagnet.go b/pkg/dependencymagnet/dependencymagnet.go index 3c578218a0..59c101f93b 100644 --- a/pkg/dependencymagnet/dependencymagnet.go +++ b/pkg/dependencymagnet/dependencymagnet.go @@ -6,6 +6,7 @@ package dependencymagnet import ( + _ "github.com/openshift/api/authorization/v1/zz_generated.crd-manifests" _ "github.com/openshift/api/operator/v1/zz_generated.crd-manifests" _ "github.com/openshift/build-machinery-go" ) diff --git a/pkg/operator/replacement_starter.go b/pkg/operator/replacement_starter.go index 0d351f5f7e..cf9e9476f0 100644 --- a/pkg/operator/replacement_starter.go +++ b/pkg/operator/replacement_starter.go @@ -16,6 +16,8 @@ import ( apiregistrationclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" + apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" + operatorv1 "github.com/openshift/api/operator/v1" configclient "github.com/openshift/client-go/config/clientset/versioned" configinformer "github.com/openshift/client-go/config/informers/externalversions" @@ -51,6 +53,7 @@ type authenticationOperatorInput struct { authenticationOperatorClient v1helpers.OperatorClient apiregistrationv1Client apiregistrationclient.Interface migrationClient kubemigratorclient.Interface + apiextensionClient apiextensionsclient.Interface eventRecorder events.Recorder clock clock.PassiveClock @@ -88,6 +91,10 @@ func CreateOperatorInputFromMOM(ctx context.Context, momInput libraryapplyconfig if err != nil { return nil, err } + apiextensionClient, err := apiextensionsclient.NewForConfigAndClient(manifestclient.RecommendedRESTConfig(), momInput.MutationTrackingClient.GetHTTPClient()) + if err != nil { + return nil, err + } authenticationOperatorClient, dynamicInformers, err := genericoperatorclient.NewOperatorClientWithClient( momInput.Clock, @@ -130,6 +137,7 @@ func CreateOperatorInputFromMOM(ctx context.Context, momInput libraryapplyconfig authenticationOperatorClient: authenticationOperatorClient, apiregistrationv1Client: apiregistrationv1Client, migrationClient: migrationClient, + apiextensionClient: apiextensionClient, eventRecorder: eventRecorder, clock: momInput.Clock, informerFactories: []libraryapplyconfiguration.SimplifiedInformerFactory{ @@ -167,6 +175,10 @@ func CreateControllerInputFromControllerContext(ctx context.Context, controllerC if err != nil { return nil, err } + apiextensionsClient, err := apiextensionsclient.NewForConfig(controllerContext.KubeConfig) + if err != nil { + return nil, err + } authenticationOperatorClient, dynamicInformers, err := genericoperatorclient.NewClusterScopedOperatorClient( controllerContext.Clock, @@ -201,6 +213,7 @@ func CreateControllerInputFromControllerContext(ctx context.Context, controllerC authenticationOperatorClient: authenticationOperatorClient, apiregistrationv1Client: apiregistrationv1Client, migrationClient: migrationClient, + apiextensionClient: apiextensionsClient, eventRecorder: eventRecorder, clock: controllerContext.Clock, informerFactories: []libraryapplyconfiguration.SimplifiedInformerFactory{ diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index e5f4e3b85b..2648622734 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -100,7 +100,6 @@ func prepareOauthOperator( resourceSyncController *resourcesynccontroller.ResourceSyncController, versionRecorder status.VersionGetter, ) ([]libraryapplyconfiguration.NamedRunOnce, []libraryapplyconfiguration.RunFunc, error) { - clusterVersion, err := authOperatorInput.configClient.ConfigV1().ClusterVersions().Get(ctx, "version", metav1.GetOptions{}) if err != nil { return nil, nil, err @@ -142,8 +141,9 @@ func prepareOauthOperator( "oauth-openshift/oauth-service.yaml", "oauth-openshift/trust_distribution_role.yaml", "oauth-openshift/trust_distribution_rolebinding.yaml", + "oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml", }, - resourceapply.NewKubeClientHolder(authOperatorInput.kubeClient), + resourceapply.NewKubeClientHolder(authOperatorInput.kubeClient).WithAPIExtensionsClient(authOperatorInput.apiextensionClient), authOperatorInput.authenticationOperatorClient, authOperatorInput.eventRecorder, ).AddKubeInformers(informerFactories.kubeInformersForNamespaces) @@ -580,7 +580,6 @@ func prepareOauthAPIServerOperator( WithoutLogLevelController(). WithoutConfigUpgradableController(). PrepareRun() - if err != nil { return nil, nil, err } @@ -680,7 +679,7 @@ func singleNameListOptions(name string) func(opts *metav1.ListOptions) { } func apiServices() []*apiregistrationv1.APIService { - var apiServiceGroupVersions = []schema.GroupVersion{ + apiServiceGroupVersions := []schema.GroupVersion{ // these are all the apigroups we manage {Group: "oauth.openshift.io", Version: "v1"}, {Group: "user.openshift.io", Version: "v1"}, diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/2e46-body-authentication-operator.17fe72c59b829800.b2cdb588.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/2e46-body-authentication-operator.17fe72c59b829800.b2cdb588.yaml deleted file mode 100644 index 74c49be1c7..0000000000 --- a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/2e46-body-authentication-operator.17fe72c59b829800.b2cdb588.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -count: 1 -eventTime: null -firstTimestamp: "2024-10-14T22:38:20Z" -involvedObject: - kind: Deployment - name: authentication-operator - namespace: openshift-authentication-operator -kind: Event -lastTimestamp: "2024-10-14T22:38:20Z" -message: 'Writing updated section ("oauthServer") of observed config: "\u00a0\u00a0map[string]any(\n-\u00a0\tnil,\n+\u00a0\t{\n+\u00a0\t\t\"corsAllowedOrigins\": - []any{string(`//127\\.0\\.0\\.1(:|$)`), string(\"//localhost(:|$)\")},\n+\u00a0\t\t\"oauthConfig\": - map[string]any{\n+\u00a0\t\t\t\"loginURL\": string(\"https://api.ostest.test.metalkube.org:6443\"),\n+\u00a0\t\t\t\"tokenConfig\": - map[string]any{\n+\u00a0\t\t\t\t\"accessTokenMaxAgeSeconds\": float64(86400),\n+\u00a0\t\t\t\t\"authorizeTokenMaxAgeSeconds\": - float64(300),\n+\u00a0\t\t\t},\n+\u00a0\t\t},\n+\u00a0\t\t\"serverArguments\": map[string]any{\n+\u00a0\t\t\t\"audit-log-format\": []any{string(\"json\")},\n+\u00a0\t\t\t\"audit-log-maxbackup\": - []any{string(\"10\")},\n+\u00a0\t\t\t\"audit-log-maxsize\": []any{string(\"100\")},\n+\u00a0\t\t\t\"audit-log-path\": []any{string(\"/var/log/oauth-server/audit.log\")},\n+\u00a0\t\t\t\"audit-policy-file\": []any{string(\"/var/run/configmaps/audit/audit.\"...)},\n+\u00a0\t\t},\n+\u00a0\t\t\"servingInfo\": - map[string]any{\n+\u00a0\t\t\t\"cipherSuites\": []any{\n+\u00a0\t\t\t\tstring(\"TLS_AES_128_GCM_SHA256\"), - string(\"TLS_AES_256_GCM_SHA384\"),\n+\u00a0\t\t\t\tstring(\"TLS_CHACHA20_POLY1305_SHA256\"),\n+\u00a0\t\t\t\tstring(\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM\"...), - ...,\n+\u00a0\t\t\t},\n+\u00a0\t\t\t\"minTLSVersion\": string(\"VersionTLS12\"),\n+\u00a0\t\t},\n+\u00a0\t},\n\u00a0\u00a0)\n"' -metadata: - creationTimestamp: null - name: authentication-operator.17fe72c59b829800.b2cdb588 - namespace: openshift-authentication-operator -reason: ObservedConfigChanged -reportingComponent: "" -reportingInstance: "" -source: - component: cluster-authentication-operator-run-once-sync-context -type: Normal diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3c60-body-authentication-operator.17fe72c59b829800.d64f6f23.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3c60-body-authentication-operator.17fe72c59b829800.d64f6f23.yaml deleted file mode 100644 index c2b91fab32..0000000000 --- a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3c60-body-authentication-operator.17fe72c59b829800.d64f6f23.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -count: 1 -eventTime: null -firstTimestamp: "2024-10-14T22:38:20Z" -involvedObject: - kind: Deployment - name: authentication-operator - namespace: openshift-authentication-operator -kind: Event -lastTimestamp: "2024-10-14T22:38:20Z" -message: 'Writing updated section ("oauthAPIServer") of observed config: "\u00a0\u00a0map[string]any(\n-\u00a0\tnil,\n+\u00a0\t{\n+\u00a0\t\t\"apiServerArguments\": - map[string]any{\n+\u00a0\t\t\t\"api-audiences\": []any{string(\"https://kubernetes.default.svc\")},\n+\u00a0\t\t\t\"cors-allowed-origins\": - []any{string(`//127\\.0\\.0\\.1(:|$)`), string(\"//localhost(:|$)\")},\n+\u00a0\t\t\t\"tls-cipher-suites\": - []any{\n+\u00a0\t\t\t\tstring(\"TLS_AES_128_GCM_SHA256\"), string(\"TLS_AES_256_GCM_SHA384\"),\n+\u00a0\t\t\t\tstring(\"TLS_CHACHA20_POLY1305_SHA256\"),\n+\u00a0\t\t\t\tstring(\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM\"...), - ...,\n+\u00a0\t\t\t},\n+\u00a0\t\t\t\"tls-min-version\": string(\"VersionTLS12\"),\n+\u00a0\t\t},\n+\u00a0\t},\n\u00a0\u00a0)\n"' -metadata: - creationTimestamp: null - name: authentication-operator.17fe72c59b829800.d64f6f23 - namespace: openshift-authentication-operator -reason: ObservedConfigChanged -reportingComponent: "" -reportingInstance: "" -source: - component: cluster-authentication-operator-run-once-sync-context -type: Normal diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6471-body-authentication-operator.17fe72c59b829800.57eb8535.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6471-body-authentication-operator.17fe72c59b829800.57eb8535.yaml new file mode 100644 index 0000000000..a240af1a54 --- /dev/null +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6471-body-authentication-operator.17fe72c59b829800.57eb8535.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +count: 1 +eventTime: null +firstTimestamp: "2024-10-14T22:38:20Z" +involvedObject: + kind: Deployment + name: authentication-operator + namespace: openshift-authentication-operator +kind: Event +lastTimestamp: "2024-10-14T22:38:20Z" +message: 'Writing updated section ("oauthServer") of observed config: " map[string]any(\n- + \tnil,\n+ \t{\n+ \t\t\"corsAllowedOrigins\": []any{string(`//127\\.0\\.0\\.1(:|$)`), + string(\"//localhost(:|$)\")},\n+ \t\t\"oauthConfig\": map[string]any{\n+ \t\t\t\"loginURL\": + string(\"https://api.ostest.test.metalkube.org:6443\"),\n+ \t\t\t\"tokenConfig\": + map[string]any{\n+ \t\t\t\t\"accessTokenMaxAgeSeconds\": float64(86400),\n+ \t\t\t\t\"authorizeTokenMaxAgeSeconds\": + float64(300),\n+ \t\t\t},\n+ \t\t},\n+ \t\t\"serverArguments\": map[string]any{\n+ + \t\t\t\"audit-log-format\": []any{string(\"json\")},\n+ \t\t\t\"audit-log-maxbackup\": + []any{string(\"10\")},\n+ \t\t\t\"audit-log-maxsize\": []any{string(\"100\")},\n+ + \t\t\t\"audit-log-path\": []any{string(\"/var/log/oauth-server/audit.log\")},\n+ + \t\t\t\"audit-policy-file\": []any{string(\"/var/run/configmaps/audit/audit.\"...)},\n+ + \t\t},\n+ \t\t\"servingInfo\": map[string]any{\n+ \t\t\t\"cipherSuites\": []any{\n+ + \t\t\t\tstring(\"TLS_AES_128_GCM_SHA256\"), string(\"TLS_AES_256_GCM_SHA384\"),\n+ + \t\t\t\tstring(\"TLS_CHACHA20_POLY1305_SHA256\"),\n+ \t\t\t\tstring(\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM\"...), + ...,\n+ \t\t\t},\n+ \t\t\t\"minTLSVersion\": string(\"VersionTLS12\"),\n+ \t\t},\n+ + \t},\n )\n"' +metadata: + creationTimestamp: null + name: authentication-operator.17fe72c59b829800.57eb8535 + namespace: openshift-authentication-operator +reason: ObservedConfigChanged +reportingComponent: "" +reportingInstance: "" +source: + component: cluster-authentication-operator-run-once-sync-context +type: Normal diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/2e46-metadata-authentication-operator.17fe72c59b829800.b2cdb588.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6471-metadata-authentication-operator.17fe72c59b829800.57eb8535.yaml similarity index 74% rename from test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/2e46-metadata-authentication-operator.17fe72c59b829800.b2cdb588.yaml rename to test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6471-metadata-authentication-operator.17fe72c59b829800.57eb8535.yaml index d28a5765ab..20f86eeaa6 100644 --- a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/2e46-metadata-authentication-operator.17fe72c59b829800.b2cdb588.yaml +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6471-metadata-authentication-operator.17fe72c59b829800.57eb8535.yaml @@ -1,7 +1,7 @@ action: Create controllerInstanceName: "" generateName: "" -mame: authentication-operator.17fe72c59b829800.b2cdb588 +mame: authentication-operator.17fe72c59b829800.57eb8535 namespace: openshift-authentication-operator resourceType: Group: "" diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/73f2-body-authentication-operator.17fe72c59b829800.df0f8e47.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/73f2-body-authentication-operator.17fe72c59b829800.df0f8e47.yaml new file mode 100644 index 0000000000..5bebf0633a --- /dev/null +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/73f2-body-authentication-operator.17fe72c59b829800.df0f8e47.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +count: 1 +eventTime: null +firstTimestamp: "2024-10-14T22:38:20Z" +involvedObject: + kind: Deployment + name: authentication-operator + namespace: openshift-authentication-operator +kind: Event +lastTimestamp: "2024-10-14T22:38:20Z" +message: Created CustomResourceDefinition.apiextensions.k8s.io/rolebindingrestrictions.authorization.openshift.io + because it was missing +metadata: + creationTimestamp: null + name: authentication-operator.17fe72c59b829800.df0f8e47 + namespace: openshift-authentication-operator +reason: CustomResourceDefinitionCreated +reportingComponent: "" +reportingInstance: "" +source: + component: cluster-authentication-operator-run-once-sync-context +type: Normal diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3c60-metadata-authentication-operator.17fe72c59b829800.d64f6f23.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/73f2-metadata-authentication-operator.17fe72c59b829800.df0f8e47.yaml similarity index 74% rename from test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3c60-metadata-authentication-operator.17fe72c59b829800.d64f6f23.yaml rename to test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/73f2-metadata-authentication-operator.17fe72c59b829800.df0f8e47.yaml index 614b70cf48..efb2f52656 100644 --- a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3c60-metadata-authentication-operator.17fe72c59b829800.d64f6f23.yaml +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/73f2-metadata-authentication-operator.17fe72c59b829800.df0f8e47.yaml @@ -1,7 +1,7 @@ action: Create controllerInstanceName: "" generateName: "" -mame: authentication-operator.17fe72c59b829800.d64f6f23 +mame: authentication-operator.17fe72c59b829800.df0f8e47 namespace: openshift-authentication-operator resourceType: Group: "" diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/8dd8-body-authentication-operator.17fe72c59b829800.ddb0d0da.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/8dd8-body-authentication-operator.17fe72c59b829800.ddb0d0da.yaml new file mode 100644 index 0000000000..fbf767d3f0 --- /dev/null +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/8dd8-body-authentication-operator.17fe72c59b829800.ddb0d0da.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +count: 1 +eventTime: null +firstTimestamp: "2024-10-14T22:38:20Z" +involvedObject: + kind: Deployment + name: authentication-operator + namespace: openshift-authentication-operator +kind: Event +lastTimestamp: "2024-10-14T22:38:20Z" +message: 'Writing updated section ("oauthAPIServer") of observed config: " map[string]any(\n- + \tnil,\n+ \t{\n+ \t\t\"apiServerArguments\": map[string]any{\n+ \t\t\t\"api-audiences\": []any{string(\"https://kubernetes.default.svc\")},\n+ + \t\t\t\"cors-allowed-origins\": []any{string(`//127\\.0\\.0\\.1(:|$)`), string(\"//localhost(:|$)\")},\n+ + \t\t\t\"tls-cipher-suites\": []any{\n+ \t\t\t\tstring(\"TLS_AES_128_GCM_SHA256\"), + string(\"TLS_AES_256_GCM_SHA384\"),\n+ \t\t\t\tstring(\"TLS_CHACHA20_POLY1305_SHA256\"),\n+ + \t\t\t\tstring(\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM\"...), ...,\n+ \t\t\t},\n+ \t\t\t\"tls-min-version\": + string(\"VersionTLS12\"),\n+ \t\t},\n+ \t},\n )\n"' +metadata: + creationTimestamp: null + name: authentication-operator.17fe72c59b829800.ddb0d0da + namespace: openshift-authentication-operator +reason: ObservedConfigChanged +reportingComponent: "" +reportingInstance: "" +source: + component: cluster-authentication-operator-run-once-sync-context +type: Normal diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/8dd8-metadata-authentication-operator.17fe72c59b829800.ddb0d0da.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/8dd8-metadata-authentication-operator.17fe72c59b829800.ddb0d0da.yaml new file mode 100644 index 0000000000..759d93762f --- /dev/null +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/8dd8-metadata-authentication-operator.17fe72c59b829800.ddb0d0da.yaml @@ -0,0 +1,9 @@ +action: Create +controllerInstanceName: "" +generateName: "" +mame: authentication-operator.17fe72c59b829800.ddb0d0da +namespace: openshift-authentication-operator +resourceType: + Group: "" + Resource: events + Version: v1 diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/03c9-body-v4-0-config-system-session.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/0fa3-body-v4-0-config-system-session.yaml similarity index 63% rename from test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/03c9-body-v4-0-config-system-session.yaml rename to test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/0fa3-body-v4-0-config-system-session.yaml index 8c05aa9954..2173d22248 100644 --- a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/03c9-body-v4-0-config-system-session.yaml +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/0fa3-body-v4-0-config-system-session.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - v4-0-config-system-session: eyJraW5kIjoiU2Vzc2lvblNlY3JldHMiLCJhcGlWZXJzaW9uIjoib3BlcmF0b3J2MWNsaWVudCIsInNlY3JldHMiOlt7ImF1dGhlbnRpY2F0aW9uIjoiWXVyTV8xbnpPSlF4Q1RDQmpxcV8ySUZaSlotSEJOaWNzdi1MVkpLUVdyTi05UlM5b0FtMk9IckdEdlRQRzlfcyIsImVuY3J5cHRpb24iOiJObzVyNXZ3Mlg3d0QzVl9nU2JydHhsUGFpMVJ0c0p1QiJ9XX0= + v4-0-config-system-session: eyJraW5kIjoiU2Vzc2lvblNlY3JldHMiLCJhcGlWZXJzaW9uIjoib3BlcmF0b3J2MWNsaWVudCIsInNlY3JldHMiOlt7ImF1dGhlbnRpY2F0aW9uIjoiLXB4Y0FXN1ptUmI3RnlNanI1b0UxSjIxVThPVk9qRUdlRElsQ2lMS25ISDQtRkp0Nnp2MkhMYmxJM1J3UHRVQSIsImVuY3J5cHRpb24iOiJYQjB2a3Frd1dTVUVHOFV3M28tV20yc2NSSFpzOHVHNCJ9XX0= kind: Secret metadata: creationTimestamp: null diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/03c9-metadata-v4-0-config-system-session.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/0fa3-metadata-v4-0-config-system-session.yaml similarity index 100% rename from test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/03c9-metadata-v4-0-config-system-session.yaml rename to test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication/core/secrets/0fa3-metadata-v4-0-config-system-session.yaml diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/ac83-body-rolebindingrestrictions.authorization.openshift.io.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/ac83-body-rolebindingrestrictions.authorization.openshift.io.yaml new file mode 100644 index 0000000000..7a29c3b18c --- /dev/null +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/ac83-body-rolebindingrestrictions.authorization.openshift.io.yaml @@ -0,0 +1,232 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + creationTimestamp: null + name: rolebindingrestrictions.authorization.openshift.io +spec: + group: authorization.openshift.io + names: + kind: RoleBindingRestriction + listKind: RoleBindingRestrictionList + plural: rolebindingrestrictions + singular: rolebindingrestriction + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + RoleBindingRestriction is an object that can be matched against a subject + (user, group, or service account) to determine whether rolebindings on that + subject are allowed in the namespace to which the RoleBindingRestriction + belongs. If any one of those RoleBindingRestriction objects matches + a subject, rolebindings on that subject in the namespace are allowed. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the matcher. + properties: + grouprestriction: + description: grouprestriction matches against group subjects. + nullable: true + properties: + groups: + description: |- + groups is a list of groups used to match against an individual user's + groups. If the user is a member of one of the whitelisted groups, the user + is allowed to be bound to a role. + items: + type: string + nullable: true + type: array + labels: + description: Selectors specifies a list of label selectors over + group labels. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + type: object + serviceaccountrestriction: + description: serviceaccountrestriction matches against service-account + subjects. + nullable: true + properties: + namespaces: + description: namespaces specifies a list of literal namespace + names. + items: + type: string + type: array + serviceaccounts: + description: serviceaccounts specifies a list of literal service-account + names. + items: + description: |- + ServiceAccountReference specifies a service account and namespace by their + names. + properties: + name: + description: name is the name of the service account. + type: string + namespace: + description: |- + namespace is the namespace of the service account. Service accounts from + inside the whitelisted namespaces are allowed to be bound to roles. If + Namespace is empty, then the namespace of the RoleBindingRestriction in + which the ServiceAccountReference is embedded is used. + type: string + type: object + type: array + type: object + userrestriction: + description: userrestriction matches against user subjects. + nullable: true + properties: + groups: + description: groups specifies a list of literal group names. + items: + type: string + nullable: true + type: array + labels: + description: Selectors specifies a list of label selectors over + user labels. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + users: + description: users specifies a list of literal user names. + items: + type: string + type: array + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/ac83-metadata-rolebindingrestrictions.authorization.openshift.io.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/ac83-metadata-rolebindingrestrictions.authorization.openshift.io.yaml new file mode 100644 index 0000000000..18930d4db4 --- /dev/null +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/ac83-metadata-rolebindingrestrictions.authorization.openshift.io.yaml @@ -0,0 +1,8 @@ +action: Create +controllerInstanceName: TODO-staticResourceController +generateName: "" +mame: rolebindingrestrictions.authorization.openshift.io +resourceType: + Group: apiextensions.k8s.io + Resource: customresourcedefinitions + Version: v1 diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/fa09-body-system-COLON-openshift-COLON-openshift-authenticator-.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/3b6a-body-system-COLON-openshift-COLON-openshift-authenticator-.yaml similarity index 57% rename from test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/fa09-body-system-COLON-openshift-COLON-openshift-authenticator-.yaml rename to test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/3b6a-body-system-COLON-openshift-COLON-openshift-authenticator-.yaml index 53389ca1ed..1bc423dbac 100644 --- a/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/fa09-body-system-COLON-openshift-COLON-openshift-authenticator-.yaml +++ b/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/3b6a-body-system-COLON-openshift-COLON-openshift-authenticator-.yaml @@ -6,7 +6,7 @@ metadata: labels: authentication.openshift.io/csr: openshift-authenticator spec: - request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkRqQ0J0QUlCQURCU01WQXdUZ1lEVlFRREUwZHplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2YjNCbApibk5vYVdaMExXOWhkWFJvTFdGd2FYTmxjblpsY2pwdmNHVnVjMmhwWm5RdFlYVjBhR1Z1ZEdsallYUnZjakJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkJYWkx2TEpOb0JrUG1CZmVNdnhjT1psV3lhZjdzUDAKa29Lb2MyeDRvVWhabmhObVNsS283bm5kcWhCVjl0N2kxSVpFNWdycGpyRnZ6U0QvV0xQNmR1NmdBREFLQmdncQpoa2pPUFFRREFnTkpBREJHQWlFQXlSM1h1NFY5alVOa2NkM2N3dGhiUXBOZjFUc1hTYS9YekQ3RkNNUnRxNllDCklRQ0UvYmEvdnNRU1VYN0kza2RNeCtPdVF2QWJsSk1hdEdmbC9VaTdyRUszb2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K + request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkRUQ0J0QUlCQURCU01WQXdUZ1lEVlFRREUwZHplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2YjNCbApibk5vYVdaMExXOWhkWFJvTFdGd2FYTmxjblpsY2pwdmNHVnVjMmhwWm5RdFlYVjBhR1Z1ZEdsallYUnZjakJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk5vUytld0xSL2ZlYk90RVhPNlFYbUJGSWNFV3VxWWwKeUFxUmpmb1RPdTV4dmlHREhMVmN3bVA4b00vdlRUSHpiMC8wQ2o3N2pGTXU5OUNpOGRNY0ZaT2dBREFLQmdncQpoa2pPUFFRREFnTklBREJGQWlCS3Z5ZUkxbDdoWDk2UmNEZG9ES2FNd0dpeUxNK3hpbFlkWU1CZjhndHN6d0loCkFNL0hYNjgwZm4vbkk2TTlTNEFzbWZQbU1hSFBZeVZmZGFYRGRzWVd6VDd4Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= signerName: kubernetes.io/kube-apiserver-client usages: - digital signature diff --git a/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/fa09-metadata-system-COLON-openshift-COLON-openshift-authenticator-.yaml b/test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/3b6a-metadata-system-COLON-openshift-COLON-openshift-authenticator-.yaml similarity index 100% rename from test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/fa09-metadata-system-COLON-openshift-COLON-openshift-authenticator-.yaml rename to test-data/apply-configuration/overall/minimal-cluster/expected-output/UserWorkload/Create/cluster-scoped-resources/certificates.k8s.io/certificatesigningrequests/3b6a-metadata-system-COLON-openshift-COLON-openshift-authenticator-.yaml diff --git a/vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/0000_03_config-operator_01_rolebindingrestrictions.crd.yaml b/vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/0000_03_config-operator_01_rolebindingrestrictions.crd.yaml new file mode 100644 index 0000000000..275e90aeec --- /dev/null +++ b/vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/0000_03_config-operator_01_rolebindingrestrictions.crd.yaml @@ -0,0 +1,225 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + name: rolebindingrestrictions.authorization.openshift.io +spec: + group: authorization.openshift.io + names: + kind: RoleBindingRestriction + listKind: RoleBindingRestrictionList + plural: rolebindingrestrictions + singular: rolebindingrestriction + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + RoleBindingRestriction is an object that can be matched against a subject + (user, group, or service account) to determine whether rolebindings on that + subject are allowed in the namespace to which the RoleBindingRestriction + belongs. If any one of those RoleBindingRestriction objects matches + a subject, rolebindings on that subject in the namespace are allowed. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the matcher. + properties: + grouprestriction: + description: grouprestriction matches against group subjects. + nullable: true + properties: + groups: + description: |- + groups is a list of groups used to match against an individual user's + groups. If the user is a member of one of the whitelisted groups, the user + is allowed to be bound to a role. + items: + type: string + nullable: true + type: array + labels: + description: Selectors specifies a list of label selectors over + group labels. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + type: object + serviceaccountrestriction: + description: serviceaccountrestriction matches against service-account + subjects. + nullable: true + properties: + namespaces: + description: namespaces specifies a list of literal namespace + names. + items: + type: string + type: array + serviceaccounts: + description: serviceaccounts specifies a list of literal service-account + names. + items: + description: |- + ServiceAccountReference specifies a service account and namespace by their + names. + properties: + name: + description: name is the name of the service account. + type: string + namespace: + description: |- + namespace is the namespace of the service account. Service accounts from + inside the whitelisted namespaces are allowed to be bound to roles. If + Namespace is empty, then the namespace of the RoleBindingRestriction in + which the ServiceAccountReference is embedded is used. + type: string + type: object + type: array + type: object + userrestriction: + description: userrestriction matches against user subjects. + nullable: true + properties: + groups: + description: groups specifies a list of literal group names. + items: + type: string + nullable: true + type: array + labels: + description: Selectors specifies a list of label selectors over + user labels. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + users: + description: users specifies a list of literal user names. + items: + type: string + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/doc.go b/vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/doc.go new file mode 100644 index 0000000000..4db9346934 --- /dev/null +++ b/vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/doc.go @@ -0,0 +1 @@ +package authorization_v1_crdmanifests diff --git a/vendor/modules.txt b/vendor/modules.txt index ca55f6c95d..fc8a0f7319 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -185,6 +185,7 @@ github.com/openshift/api/apps github.com/openshift/api/apps/v1 github.com/openshift/api/authorization github.com/openshift/api/authorization/v1 +github.com/openshift/api/authorization/v1/zz_generated.crd-manifests github.com/openshift/api/build github.com/openshift/api/build/v1 github.com/openshift/api/cloudnetwork