diff --git a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml index 37248a5956c..bfbed47e109 100644 --- a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml @@ -390,27 +390,6 @@ tests: transitKey: my-key expectedError: "appRole config is required when authentication type is AppRole" - # transitMount required field validation - - name: Should reject Vault KMS config without transitMount - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Vault - vault: - kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef - vaultAddress: https://vault.example.com:8200 - authentication: - type: AppRole - appRole: - secret: - name: vault-approle - transitKey: my-key - expectedError: "Required value" - # kmsPluginImage validation tests - name: Should reject kmsPluginImage with tag instead of digest initial: | diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 6b58d9da49b..9eddb26b808 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -193,10 +193,14 @@ type VaultKMSPluginConfig struct { // transitMount specifies the mount path of the Vault Transit engine. // - // The transit mount must be between 1 and 1024 characters, cannot start or - // end with a forward slash, cannot contain consecutive forward slashes, and - // must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - // period, underscore, tilde) and forward slashes as path separators. + // When omitted, this means the user has no opinion and the platform is left + // to choose a reasonable default. These defaults are subject to change over time. + // The current default is "transit". + // + // The transit mount must be between 1 and 1024 characters when specified, cannot start or + // end with a forward slash, cannot contain consecutive forward slashes, and must only contain + // RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + // slashes as path separators. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=1024 @@ -204,7 +208,7 @@ type VaultKMSPluginConfig struct { // +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="transitMount cannot end with a forward slash" // +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="transitMount cannot contain consecutive forward slashes" // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes" - // +required + // +optional TransitMount string `json:"transitMount,omitempty"` // transitKey specifies the name of the encryption key in Vault's Transit engine. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index df1e70f5c89..61d45cf1a20 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 728c23fcf7b..1a8c79602f9 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 4aab1f5219a..0ed66f3a742 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index 0c4f2f47217..02e0b50d07e 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 65c3c2ce88d..3ded5fe2b43 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2467,7 +2467,7 @@ var map_VaultKMSPluginConfig = map[string]string{ "vaultNamespace": "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. When this field is not set, no namespace is used.\n\nThe value must be between 1 and 4096 characters. The namespace cannot end with a forward slash, cannot contain spaces, and cannot be one of the reserved strings: root, sys, audit, auth, cubbyhole, or identity.", "tls": "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", "authentication": "authentication defines the authentication method used to authenticate with Vault.", - "transitMount": "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + "transitMount": "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", "transitKey": "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data.\n\nThe transit key must be between 1 and 512 characters, cannot contain forward slashes, and must only contain alphanumeric characters, hyphens, periods, and underscores.", } diff --git a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 4af134c0d34..f72ead8d98d 100644 --- a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -2276,6 +2276,90 @@ tests: request: "100m" limit: "0" expectedError: 'spec.nodeExporterConfig.resources[0].limit: Invalid value: "": limit must be a positive, non-zero quantity' + - name: Should accept prometheusConfig retention duration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "15h" + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "15h" + - name: Should accept prometheusConfig retention size + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "500MiB" + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "500MiB" + - name: Should reject invalid prometheusConfig retention duration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "15days" + expectedError: 'spec.prometheusConfig.retention.duration: Invalid value: "string": must be a valid Prometheus duration string' + - name: Should reject invalid prometheusConfig retention size + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "500Mi" + expectedError: 'spec.prometheusConfig.retention.size: Invalid value: "string": must be a valid Prometheus byte-size string' + - name: Should reject prometheusConfig retention with both durationInDays and duration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + durationInDays: 15 + duration: "15d" + expectedError: 'durationInDays and duration cannot both be set' + - name: Should reject prometheusConfig retention with both sizeInGiB and size + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + sizeInGiB: 500 + size: "500GiB" + expectedError: 'sizeInGiB and size cannot both be set' onUpdate: - name: Should reject updating TelemeterClientConfig to empty object initial: | diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index 1f8693492d2..f2f432132cf 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1340,7 +1340,7 @@ type PrometheusConfig struct { // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. - // When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + // When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). // +optional Retention Retention `json:"retention,omitempty,omitzero"` // tolerations defines tolerations for the pods. @@ -2234,8 +2234,11 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 +// +kubebuilder:validation:XValidation:rule="!has(self.durationInDays) || !has(self.duration)",message="durationInDays and duration cannot both be set" +// +kubebuilder:validation:XValidation:rule="!has(self.sizeInGiB) || !has(self.size)",message="sizeInGiB and size cannot both be set" type Retention struct { // durationInDays specifies how many days Prometheus will retain metrics data. + // Deprecated: use duration instead. durationInDays and duration cannot both be set. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The default value is 15. @@ -2245,8 +2248,10 @@ type Retention struct { // +kubebuilder:validation:Maximum=365 // +optional DurationInDays int32 `json:"durationInDays,omitempty"` + // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus // can use for data blocks and the write-ahead log (WAL). + // Deprecated: use size instead. sizeInGiB and size cannot both be set. // When the limit is reached, Prometheus will delete oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // Minimum value is 1 GiB. @@ -2255,6 +2260,39 @@ type Retention struct { // +kubebuilder:validation:Maximum=16384 // +optional SizeInGiB int32 `json:"sizeInGiB,omitempty"` + + // duration is an optional field that specifies how long Prometheus retains metrics data. + // Valid values are Prometheus duration strings composed of non-negative integer components + // with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + // Single-unit forms such as "15d" or "24h" are recommended over composite durations with + // zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + // Must be at least 1 character and at most 64 characters. + // When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + // "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + // documented form for disabling time-based retention. + // Prometheus automatically deletes data older than this duration. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `15d`. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:XValidation:rule=`self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$')`,message="must be a valid Prometheus duration string" + // +optional + Duration string `json:"duration,omitempty"` + + // size is an optional field that specifies the maximum storage size that Prometheus + // can use for data blocks and the write-ahead log (WAL). + // Valid values are Prometheus byte-size strings with an optional decimal prefix and a + // unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + // (for example, "500MiB", "10GiB"). + // Must be at least 1 character and at most 32 characters. + // When set to "0", no size limit is enforced. + // When the limit is reached, Prometheus deletes oldest data first. + // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=32 + // +kubebuilder:validation:XValidation:rule=`self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$')`,message="must be a valid Prometheus byte-size string" + // +optional + Size string `json:"size,omitempty"` } // RelabelAction defines the action to perform in a relabeling rule. diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index b6968ddb931..28b1406aabc 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4130,12 +4130,33 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). minProperties: 1 properties: + duration: + description: |- + duration is an optional field that specifies how long Prometheus retains metrics data. + Valid values are Prometheus duration strings composed of non-negative integer components + with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Single-unit forms such as "15d" or "24h" are recommended over composite durations with + zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + Must be at least 1 character and at most 64 characters. + When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + documented form for disabling time-based retention. + Prometheus automatically deletes data older than this duration. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is `15d`. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus duration string + rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') durationInDays: description: |- durationInDays specifies how many days Prometheus will retain metrics data. + Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. @@ -4145,10 +4166,28 @@ spec: maximum: 365 minimum: 1 type: integer + size: + description: |- + size is an optional field that specifies the maximum storage size that Prometheus + can use for data blocks and the write-ahead log (WAL). + Valid values are Prometheus byte-size strings with an optional decimal prefix and a + unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + (for example, "500MiB", "10GiB"). + Must be at least 1 character and at most 32 characters. + When set to "0", no size limit is enforced. + When the limit is reached, Prometheus deletes oldest data first. + When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + maxLength: 32 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus byte-size string + rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') sizeInGiB: description: |- sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). + Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. @@ -4158,6 +4197,11 @@ spec: minimum: 1 type: integer type: object + x-kubernetes-validations: + - message: durationInDays and duration cannot both be set + rule: '!has(self.durationInDays) || !has(self.duration)' + - message: sizeInGiB and size cannot both be set + rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 34b63cefbbc..754cdf4eb65 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -4130,12 +4130,33 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). minProperties: 1 properties: + duration: + description: |- + duration is an optional field that specifies how long Prometheus retains metrics data. + Valid values are Prometheus duration strings composed of non-negative integer components + with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Single-unit forms such as "15d" or "24h" are recommended over composite durations with + zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + Must be at least 1 character and at most 64 characters. + When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + documented form for disabling time-based retention. + Prometheus automatically deletes data older than this duration. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is `15d`. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus duration string + rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') durationInDays: description: |- durationInDays specifies how many days Prometheus will retain metrics data. + Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. @@ -4145,10 +4166,28 @@ spec: maximum: 365 minimum: 1 type: integer + size: + description: |- + size is an optional field that specifies the maximum storage size that Prometheus + can use for data blocks and the write-ahead log (WAL). + Valid values are Prometheus byte-size strings with an optional decimal prefix and a + unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + (for example, "500MiB", "10GiB"). + Must be at least 1 character and at most 32 characters. + When set to "0", no size limit is enforced. + When the limit is reached, Prometheus deletes oldest data first. + When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + maxLength: 32 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus byte-size string + rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') sizeInGiB: description: |- sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). + Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. @@ -4158,6 +4197,11 @@ spec: minimum: 1 type: integer type: object + x-kubernetes-validations: + - message: durationInDays and duration cannot both be set + rule: '!has(self.durationInDays) || !has(self.duration)' + - message: sizeInGiB and size cannot both be set + rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 0b364ee25cb..da06a4a5970 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -504,7 +504,7 @@ var map_PrometheusConfig = map[string]string{ "queryLogFile": "queryLogFile specifies the file to which PromQL queries are logged. This setting can be either a filename, in which case the queries are saved to an `emptyDir` volume at `/var/log/prometheus`, or a full path to a location where an `emptyDir` volume will be mounted and the queries saved. Writing to `/dev/stderr`, `/dev/stdout` or `/dev/null` is supported, but writing to any other `/dev/` path is not supported. Relative paths are also not supported. By default, PromQL queries are not logged. Must be an absolute path starting with `/` or a simple filename without path separators. Must not contain consecutive slashes, end with a slash, or include '..' path traversal. Must contain only alphanumeric characters, '.', '_', '-', or '/'. Must be between 1 and 255 characters in length.", "remoteWrite": "remoteWrite defines the remote write configuration, including URL, authentication, and relabeling settings. Remote write allows Prometheus to send metrics it collects to external long-term storage systems. When omitted, no remote write endpoints are configured. When provided, at least one configuration must be specified (minimum 1, maximum 10 items). Entries must have unique names (name is the list key).", "resources": "resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", "collectionProfile": "collectionProfile defines the metrics collection profile that Prometheus uses to collect metrics from the platform components. Supported values are `Full` or `Minimal`. In the `Full` profile (default), Prometheus collects all metrics that are exposed by the platform components. In the `Minimal` profile, Prometheus only collects metrics necessary for the default platform alerts, recording rules, telemetry and console dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is `Full`.", @@ -638,8 +638,10 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { var map_Retention = map[string]string{ "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "durationInDays": "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", - "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + "durationInDays": "durationInDays specifies how many days Prometheus will retain metrics data. Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", + "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", } func (Retention) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index e3fde46a4c3..e68b0414f01 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -22878,7 +22878,7 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal }, "transitMount": { SchemaProps: spec.SchemaProps{ - Description: "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + Description: "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", Type: []string{"string"}, Format: "", }, @@ -22891,7 +22891,7 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal }, }, }, - Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "transitMount", "transitKey"}, + Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "transitKey"}, }, }, Dependencies: []string{ @@ -25716,7 +25716,7 @@ func schema_openshift_api_config_v1alpha1_PrometheusConfig(ref common.ReferenceC }, "retention": { SchemaProps: spec.SchemaProps{ - Description: "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + Description: "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1alpha1.Retention"), }, @@ -26451,18 +26451,32 @@ func schema_openshift_api_config_v1alpha1_Retention(ref common.ReferenceCallback Properties: map[string]spec.Schema{ "durationInDays": { SchemaProps: spec.SchemaProps{ - Description: "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", + Description: "durationInDays specifies how many days Prometheus will retain metrics data. Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", Type: []string{"integer"}, Format: "int32", }, }, "sizeInGiB": { SchemaProps: spec.SchemaProps{ - Description: "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + Description: "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", Type: []string{"integer"}, Format: "int32", }, }, + "duration": { + SchemaProps: spec.SchemaProps{ + Description: "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + Type: []string{"string"}, + Format: "", + }, + }, + "size": { + SchemaProps: spec.SchemaProps{ + Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + Type: []string{"string"}, + Format: "", + }, + }, }, }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 0ef7fb0e1c5..45657497939 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -16873,19 +16873,21 @@ "type": "string" }, "clientSecret": { - "description": "clientSecret is the client secret to use during the OAuth2 client credentials flow. clientSecret must be at least 1 character in length, must not exceed 256 characters in length, and must only contain printable ASCII characters.", - "type": "string" + "description": "clientSecret is a required reference to a Secret in the openshift-config namespace to be used as the client secret during the OAuth2 client credentials flow.\n\nThe key 'client-secret' is used to locate the client secret data in the Secret.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClientSecretSecretReference" }, "scopes": { - "description": "scopes is an optional list of OAuth2 scopes to request when obtaining an access token.\n\nIf not specified, the token endpoint's default scopes will be used.\n\nWhen specified, there must be at least 1 entry and must not exceed 16 entries. Each entry must be at least 1 character in length and must not exceed 256 characters in length. Each entry must only contain printable ASCII characters, excluding spaces, double quotes (\") and backslashes (\\).", + "description": "scopes is an optional list of OAuth2 scopes to request when obtaining an access token.\n\nIf not specified, the token endpoint's default scopes will be used.\n\nWhen specified, there must be at least 1 entry and must not exceed 16 entries. Each entry must be at least 1 character in length and must not exceed 256 characters in length. Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. Entries must be unique.", "type": "array", "items": { "type": "string", "default": "" - } + }, + "x-kubernetes-list-type": "set" }, "tls": { - "description": "tls is an optional field that allows configuring the TLS settings used to interact with the identity provider as an OAuth2 client.", + "description": "tls is an optional field that allows configuring the TLS settings used to interact with the identity provider as an OAuth2 client.\n\nWhen omitted, system default TLS settings will be used for the OAuth2 client.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceTLS" }, @@ -16895,6 +16897,19 @@ } } }, + "com.github.openshift.api.config.v1.ClientSecretSecretReference": { + "description": "ClientSecretSecretReference is a reference to a Secret in the openshift-config namespace that should be used for configuring the client secret to be used when sourcing claims from external sources with the client credential authentication flow.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the required name of the Secret that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.CloudControllerManagerStatus": { "description": "CloudControllerManagerStatus holds the state of Cloud Controller Manager (a.k.a. CCM or CPI) related settings", "type": "object", @@ -18180,36 +18195,36 @@ ], "properties": { "authentication": { - "description": "authentication is an optional field that configures how the apiserver authenticates with an external claims source. When not specified, anonymous authentication is used.", + "description": "authentication is an optional field that configures how the apiserver authenticates with an external claims source. When not specified, anonymous authentication is used which means no 'Authorization' header is sent in the HTTP request to fetch the external claims.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceAuthentication" }, - "conditions": { - "description": "conditions is an optional list of conditions in which claims should attempt to be fetched from this external source.\n\nWhen omitted or empty, claims are always attempted to be fetched from this external source.\n\nWhen specified, all conditions must evaluate to 'true' before claims are attempted to be fetched from this external source.\n\nconditions must not exceed 16 entries. Entries must have unique expressions.", + "mappings": { + "description": "mappings is a required list of the claim and response handling expression pairs that produces the claims from the external source. mappings must have at least 1 entry and must not exceed 16 entries. Entries must have a unique name across all external claim sources.", "type": "array", "items": { "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceCondition" + "$ref": "#/definitions/com.github.openshift.api.config.v1.SourcedClaimMapping" }, "x-kubernetes-list-map-keys": [ - "expression" + "name" ], "x-kubernetes-list-type": "map" }, - "mappings": { - "description": "mappings is a required list of the claim and response handling expression pairs that produces the claims from the external source. mappings must have at least 1 entry and must not exceed 16 entries. Entries must have a unique name across all external claim sources.", + "predicates": { + "description": "predicates is an optional list of constraints in which claims should attempt to be fetched from this external source.\n\nWhen omitted, claims are always fetched from this external source.\n\nWhen specified, all predicates must evaluate to 'true' before claims are attempted to be fetched from this external source. predicates must have at least 1 entry and must not exceed 16 entries. Entries must have unique expressions.", "type": "array", "items": { "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.SourcedClaimMapping" + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourcePredicate" }, "x-kubernetes-list-map-keys": [ - "name" + "expression" ], "x-kubernetes-list-type": "map" }, "tls": { - "description": "tls is an optional field that configures the http client TLS settings when fetching external claims from this source.", + "description": "tls is an optional field that configures the http client TLS settings when fetching external claims from this source.\n\nWhen omitted, system default TLS settings will be used for fetching claims from the external source.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceTLS" }, @@ -18307,28 +18322,28 @@ } } }, - "com.github.openshift.api.config.v1.ExternalSourceCertificateAuthoritySecretReference": { - "description": "CertificateAuthoritySecretReference is a reference to a Secret in the openshift-config namespace that should be used for configuring the certificate authority to be used when sourcing claims from external sources.", + "com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference": { + "description": "ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config namespace that should be used for configuring the certificate authority to be used when sourcing claims from external sources.", "type": "object", "required": [ "name" ], "properties": { "name": { - "description": "name is the required name of the Secret that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", + "description": "name is the required name of the ConfigMap that exists in the openshift-config namespace. The key \"ca-bundle.crt\" must be present and must contain the CA certificate to be used to verify the external source's TLS certificate.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", "type": "string" } } }, - "com.github.openshift.api.config.v1.ExternalSourceCondition": { - "description": "ExternalSourceCondition configures a singular condition that must return true before the external source is queried to retrieve external claims.", + "com.github.openshift.api.config.v1.ExternalSourcePredicate": { + "description": "ExternalSourcePredicate configures a singular condition that must return true before the external source is queried to retrieve external claims.", "type": "object", "required": [ "expression" ], "properties": { "expression": { - "description": "expression is a required CEL expression that is used to determine whether or not an external source should be used to fetch external claims.\n\nThe expression must return a boolean value, where true means that the source should be consulted and false means that it should not.\n\nClaims from the token used for the request to the kube-apiserver are made available via the `claims` variable.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", + "description": "expression is a required CEL expression that is used to determine whether or not an external source should be used to fetch external claims.\n\nThe expression must return a boolean value, where true means that the source should be consulted and false means that it should not.\n\nClaims from the token used for the request to the kube-apiserver are made available via the `claims` variable.\n\nThe contents of the `claims` variable varies based on the claims that are present in the token being validated. It is the responsibility of those configuring this field to understand what claims the identity provider includes when issuing tokens.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", "type": "string" } } @@ -18341,9 +18356,9 @@ ], "properties": { "certificateAuthority": { - "description": "certificateAuthority is a required reference to a secret in the openshift-config namespace that contains the CA certificate to use to validate TLS connections with the external claims source.", + "description": "certificateAuthority is a required reference to a ConfigMap in the openshift-config namespace that contains the CA certificate to use to validate TLS connections with the external claims source. The key \"ca-bundle.crt\" must be present in the referenced ConfigMap and must contain the CA certificate to be used to verify the external source's TLS certificate.", "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceCertificateAuthoritySecretReference" + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference" } } }, @@ -20662,6 +20677,19 @@ } } }, + "com.github.openshift.api.config.v1.NetworkObservabilitySpec": { + "description": "NetworkObservabilitySpec defines the configuration for network observability installation", + "type": "object", + "required": [ + "installationPolicy" + ], + "properties": { + "installationPolicy": { + "description": "installationPolicy controls whether network observability is installed during cluster deployment. Valid values are \"InstallAndEnable\" and \"NoAction\". When set to \"InstallAndEnable\", ensure that network observability will be installed and enabled on the cluster. If already installed, no action taken, but if it gets uninstalled, it will install it again. When set to \"NoAction\", nothing will be done regarding Network observability.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.NetworkSpec": { "description": "NetworkSpec is the desired network configuration. As a general rule, this SHOULD NOT be read directly. Instead, you should consume the NetworkStatus, as it indicates the currently deployed configuration. Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.", "type": "object", @@ -20689,6 +20717,11 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.NetworkDiagnostics" }, + "networkObservability": { + "description": "networkObservability is an optional field that configures network observability installation during cluster deployment (day-0). When omitted, unless this is a SNO cluster, network observability will be installed if not already present, after that, no action taken.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.NetworkObservabilitySpec" + }, "networkType": { "description": "networkType is the plugin that is to be deployed (e.g. OVNKubernetes). This should match a value that the cluster-network-operator understands, or else no networking will be installed. Currently supported values are: - OVNKubernetes This field is immutable after installation.", "type": "string", @@ -21352,7 +21385,7 @@ "x-kubernetes-list-type": "atomic" }, "externalClaimsSources": { - "description": "externalClaimSources is an optional field that can be used to configure sources, external to the token provided in a request, in which claims should be fetched from and made available to the claim mapping process that is used to build the identity of a token holder.\n\nFor example, fetching additional user metadata from an OIDC provider's UserInfo endpoint.\n\nWhen not specified, only claims present in the token itself will be available in the claim mapping process.\n\nWhen specified, at least one external claim source must be specified and no more than 5 sources may be specified.", + "description": "externalClaimsSources is an optional field that can be used to configure sources, external to the token provided in a request, in which claims should be fetched from and made available to the claim mapping process that is used to build the identity of a token holder.\n\nFor example, fetching additional user metadata from an OIDC provider's UserInfo endpoint.\n\nWhen not specified, only claims present in the token itself will be available in the claim mapping process.\n\nWhen specified, at least one external claim source must be specified and no more than 5 sources may be specified. All external claim sources must have unique claim mappings. When an external source responds and resolves additional claims successfully, they will be made available as claims during the claim mapping process. Externally sourced claims with the same name as a claim existing within the token will overwrite the claim data from the token with the externally sourced information. If an external source does not respond, responds with an error, or the additional claim data cannot be resolved from the response successfully it will not be included in the claim data passed to the claim mapping process.", "type": "array", "items": { "default": {}, @@ -22908,11 +22941,11 @@ ], "properties": { "hostname": { - "description": "hostname is a required hostname for which the external claims are located.\n\nIt must be a valid DNS subdomain name as per RFC1123.\n\nThis means that it must start and end with a lowercase alphanumeric character, must only consist of lowercase alphanumeric characters, '-', and '.'. hostname must be at least 1 character in length and must not exceed 253 characters in length. hostname may optionally specify a port in the format ':{port}'. If a port is specified it must not exceed 65535.", + "description": "hostname is a required hostname for which the external claims are located.\n\nIt must be a valid DNS subdomain name as per RFC1123.\n\nThis means that it must start and end with a lowercase alphanumeric character, must only consist of lowercase alphanumeric characters, '-', and '.'. hostname may optionally specify a port in the format ':{port}'. If a port is specified it must not exceed 65535.\n\nhostname must be at least 1 character in length. When specifying a port, hostname must not exceed 259 characters in length. When not specifying a port, hostname must not exceed 253 characters in length.", "type": "string" }, "pathExpression": { - "description": "pathExpression is a required CEL expression that returns a list of string values used to construct the URL path. Claims from the token used for the request to the kube-apiserver are made available via the `claims` variable. expression must be at least 1 character in length and must not exceed 1024 characters in length.", + "description": "pathExpression is a required CEL expression that returns a list of string values used to construct the URL path. Claims from the token used for the request to the kube-apiserver are made available via the `claims` variable. expression must be at least 1 character in length and must not exceed 1024 characters in length.\n\nValues in the returned list will be joined with the hostname using a forward slash (`/`) as a separator. Values in the returned list do not need to include the forward slash. If a forward slash is included in a returned value, it will be encoded as `%2F`.\n\nExample of a static path configuration:\n\n pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo']\n\nThe above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo'\n\nExample of a dynamic path configuration:\n\n pathExpression: \"['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']\"\n\nAssuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups'", "type": "string" } } @@ -22926,7 +22959,7 @@ ], "properties": { "expression": { - "description": "expression is a required CEL expression that will produce a value to be assigned to the claim. The full response body from the request to the external claim source is provided via the `response` variable. expression must be at least 1 character and must not exceed 1024 characters in length.", + "description": "expression is a required CEL expression that will produce a value to be assigned to the claim. The full response body from the request to the external claim source is provided via the `response.body` variable.\n\nThe contents of the `response.body` variable varies based on the response received from the external source. It is the responsibility of those configuring this expression to understand what is returned from the external source.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", "type": "string" }, "name": { @@ -25303,14 +25336,6 @@ "type": "integer", "format": "int32" }, - "nodeSelector": { - "description": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", - "type": "object", - "additionalProperties": { - "type": "string", - "default": "" - } - }, "resources": { "description": "resources defines the compute resource requests and limits for the node-exporter container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 8m\n limit: null\n - name: memory\n request: 32Mi\n limit: null", "type": "array", @@ -25322,15 +25347,6 @@ "name" ], "x-kubernetes-list-type": "map" - }, - "tolerations": { - "description": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is to tolerate all taints (operator: Exists without any key), which is typical for DaemonSets that must run on every node. Maximum length for this list is 10. Minimum length for this list is 1.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Toleration.v1.core.api.k8s.io" - }, - "x-kubernetes-list-type": "atomic" } } }, @@ -25681,7 +25697,7 @@ "x-kubernetes-list-type": "map" }, "retention": { - "description": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + "description": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Retention" }, @@ -26117,15 +26133,13 @@ "description": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", "type": "object", "properties": { - "durationInDays": { - "description": "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", - "type": "integer", - "format": "int32" + "duration": { + "description": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "type": "string" }, - "sizeInGiB": { - "description": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", - "type": "integer", - "format": "int32" + "size": { + "description": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + "type": "string" } } }, @@ -26340,6 +26354,14 @@ "description": "ThanosQuerierConfig provides configuration options for the Thanos Querier component that runs in the `openshift-monitoring` namespace. At least one field must be specified; an empty thanosQuerierConfig object is not allowed.", "type": "object", "properties": { + "crossOriginRequestPolicy": { + "description": "crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy for Thanos Querier's HTTP endpoints. crossOriginRequestPolicy is optional. Valid values are \"AllowAll\" and \"DenyAll\". When set to \"AllowAll\", CORS headers are added to responses, allowing cross-origin requests from any domain. When set to \"DenyAll\", no CORS headers are added and cross-origin requests are rejected by the browser. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is \"DenyAll\".", + "type": "string" + }, + "logLevel": { + "description": "logLevel defines the verbosity of logs emitted by Thanos Querier. logLevel is optional. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "type": "string" + }, "nodeSelector": { "description": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", "type": "object", @@ -26348,6 +26370,11 @@ "default": "" } }, + "requestLogging": { + "description": "requestLogging configures request logging for Thanos Querier. requestLogging is optional. When provided, the policy field within is required. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default behavior is to not log any requests.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig" + }, "resources": { "description": "resources defines the compute resource requests and limits for the Thanos Querier container. resources is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Requests cannot exceed limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 5m\n - name: memory\n request: 12Mi\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "type": "array", @@ -26384,6 +26411,19 @@ } } }, + "com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig": { + "description": "ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier.", + "type": "object", + "required": [ + "policy" + ], + "properties": { + "policy": { + "description": "policy determines which HTTP and gRPC requests are logged by Thanos Querier. Valid values are \"AllRequests\" and \"NoRequests\". When set to \"AllRequests\", every request received by Thanos Querier is logged with method, path, and response status. The log level for request logs is derived from the logLevel field. When set to \"NoRequests\", request logging is turned off.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1alpha1.UppercaseActionConfig": { "description": "UppercaseActionConfig configures the Uppercase action. Maps the concatenated source_labels to their upper case and writes to target_label. Requires Prometheus >= v2.36.0.", "type": "object", diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index df1e70f5c89..61d45cf1a20 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 728c23fcf7b..1a8c79602f9 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 4aab1f5219a..0ed66f3a742 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index b6968ddb931..28b1406aabc 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4130,12 +4130,33 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). minProperties: 1 properties: + duration: + description: |- + duration is an optional field that specifies how long Prometheus retains metrics data. + Valid values are Prometheus duration strings composed of non-negative integer components + with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Single-unit forms such as "15d" or "24h" are recommended over composite durations with + zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + Must be at least 1 character and at most 64 characters. + When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + documented form for disabling time-based retention. + Prometheus automatically deletes data older than this duration. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is `15d`. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus duration string + rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') durationInDays: description: |- durationInDays specifies how many days Prometheus will retain metrics data. + Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. @@ -4145,10 +4166,28 @@ spec: maximum: 365 minimum: 1 type: integer + size: + description: |- + size is an optional field that specifies the maximum storage size that Prometheus + can use for data blocks and the write-ahead log (WAL). + Valid values are Prometheus byte-size strings with an optional decimal prefix and a + unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + (for example, "500MiB", "10GiB"). + Must be at least 1 character and at most 32 characters. + When set to "0", no size limit is enforced. + When the limit is reached, Prometheus deletes oldest data first. + When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + maxLength: 32 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus byte-size string + rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') sizeInGiB: description: |- sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). + Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. @@ -4158,6 +4197,11 @@ spec: minimum: 1 type: integer type: object + x-kubernetes-validations: + - message: durationInDays and duration cannot both be set + rule: '!has(self.durationInDays) || !has(self.duration)' + - message: sizeInGiB and size cannot both be set + rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods.