From db4e70fa598fd475427e550707a38524750325dc Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Thu, 28 May 2026 13:22:02 +0200 Subject: [PATCH 1/9] Use durationInHours for Prometheus retention and tune limits Express Prometheus retention duration in hours under the existing durationInDays JSON field for wire compatibility. Remove operational maximums (365 days, 16384 GiB, and the interim 87600-hour cap); keep sizeInGiB bounded by the int32 maximum at admission time. Signed-off-by: Mario Fernandez Co-authored-by: Cursor --- config/v1alpha1/types_cluster_monitoring.go | 18 +++++++++--------- ...fig-operator_01_clustermonitorings.crd.yaml | 16 ++++++++-------- .../ClusterMonitoringConfig.yaml | 16 ++++++++-------- .../zz_generated.swagger_doc_generated.go | 6 +++--- .../generated_openapi/zz_generated.openapi.go | 6 +++--- openapi/openapi.json | 6 +++--- ...fig-operator_01_clustermonitorings.crd.yaml | 16 ++++++++-------- 7 files changed, 42 insertions(+), 42 deletions(-) diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index cc2a3cb3bb3..6cf7d83b053 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1377,7 +1377,7 @@ type PrometheusConfig struct { // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. - // When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + // When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). // +optional Retention Retention `json:"retention,omitempty,omitzero"` // tolerations defines tolerations for the pods. @@ -2272,24 +2272,24 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 type Retention struct { - // durationInDays specifies how many days Prometheus will retain metrics data. + // durationInDays specifies how many hours Prometheus will retain metrics data. + // The JSON field name is durationInDays for wire compatibility with persisted objects; + // the value unit is hours (not days). // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The default value is 15. - // Minimum value is 1 day. - // Maximum value is 365 days (1 year). + // The default value is 360 (equivalent to 15 days). + // Minimum value is 1 hour. // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=365 // +optional - DurationInDays int32 `json:"durationInDays,omitempty"` + DurationInHours int32 `json:"durationInDays,omitempty"` // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus // can use for data blocks and the write-ahead log (WAL). // When the limit is reached, Prometheus will delete oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // Minimum value is 1 GiB. - // Maximum value is 16384 GiB (16 TiB). + // Maximum value is 2147483647 GiB (the maximum representable int32 value). // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=16384 + // +kubebuilder:validation:Maximum=2147483647 // +optional SizeInGiB int32 `json:"sizeInGiB,omitempty"` } diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index b226cec1ce1..9a7a452e95b 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4595,19 +4595,19 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). minProperties: 1 properties: durationInDays: description: |- - durationInDays specifies how many days Prometheus will retain metrics data. + durationInDays specifies how many hours Prometheus will retain metrics data. + The JSON field name is durationInDays for wire compatibility with persisted objects; + the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 15. - Minimum value is 1 day. - Maximum value is 365 days (1 year). + The default value is 360 (equivalent to 15 days). + Minimum value is 1 hour. format: int32 - maximum: 365 minimum: 1 type: integer sizeInGiB: @@ -4617,9 +4617,9 @@ spec: When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. - Maximum value is 16384 GiB (16 TiB). + Maximum value is 2147483647 GiB (the maximum representable int32 value). format: int32 - maximum: 16384 + maximum: 2147483647 minimum: 1 type: integer type: object diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index ce0b0866156..596cd1a2056 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -4595,19 +4595,19 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). minProperties: 1 properties: durationInDays: description: |- - durationInDays specifies how many days Prometheus will retain metrics data. + durationInDays specifies how many hours Prometheus will retain metrics data. + The JSON field name is durationInDays for wire compatibility with persisted objects; + the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 15. - Minimum value is 1 day. - Maximum value is 365 days (1 year). + The default value is 360 (equivalent to 15 days). + Minimum value is 1 hour. format: int32 - maximum: 365 minimum: 1 type: integer sizeInGiB: @@ -4617,9 +4617,9 @@ spec: When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. - Maximum value is 16384 GiB (16 TiB). + Maximum value is 2147483647 GiB (the maximum representable int32 value). format: int32 - maximum: 16384 + maximum: 2147483647 minimum: 1 type: integer type: object diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 44db6eb6a9e..1cd18827431 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -529,7 +529,7 @@ var map_PrometheusConfig = map[string]string{ "queryLogFile": "queryLogFile specifies the file to which PromQL queries are logged. This setting can be either a filename, in which case the queries are saved to an `emptyDir` volume at `/var/log/prometheus`, or a full path to a location where an `emptyDir` volume will be mounted and the queries saved. Writing to `/dev/stderr`, `/dev/stdout` or `/dev/null` is supported, but writing to any other `/dev/` path is not supported. Relative paths are also not supported. By default, PromQL queries are not logged. Must be an absolute path starting with `/` or a simple filename without path separators. Must not contain consecutive slashes, end with a slash, or include '..' path traversal. Must contain only alphanumeric characters, '.', '_', '-', or '/'. Must be between 1 and 255 characters in length.", "remoteWrite": "remoteWrite defines the remote write configuration, including URL, authentication, and relabeling settings. Remote write allows Prometheus to send metrics it collects to external long-term storage systems. When omitted, no remote write endpoints are configured. When provided, at least one configuration must be specified (minimum 1, maximum 10 items). Entries must have unique names (name is the list key).", "resources": "resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit).", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", "collectionProfile": "collectionProfile defines the metrics collection profile that Prometheus uses to collect metrics from the platform components. Supported values are `Full` or `Minimal`. In the `Full` profile (default), Prometheus collects all metrics that are exposed by the platform components. In the `Minimal` profile, Prometheus only collects metrics necessary for the default platform alerts, recording rules, telemetry and console dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is `Full`.", @@ -663,8 +663,8 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { var map_Retention = map[string]string{ "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "durationInDays": "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", - "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + "durationInDays": "durationInDays specifies how many hours Prometheus will retain metrics data. The JSON field name is durationInDays for wire compatibility with persisted objects; the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 360 (equivalent to 15 days). Minimum value is 1 hour.", + "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 2147483647 GiB (the maximum representable int32 value).", } func (Retention) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 372ab5b69ac..65924ba9f73 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -25931,7 +25931,7 @@ func schema_openshift_api_config_v1alpha1_PrometheusConfig(ref common.ReferenceC }, "retention": { SchemaProps: spec.SchemaProps{ - Description: "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + Description: "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit).", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1alpha1.Retention"), }, @@ -26666,14 +26666,14 @@ func schema_openshift_api_config_v1alpha1_Retention(ref common.ReferenceCallback Properties: map[string]spec.Schema{ "durationInDays": { SchemaProps: spec.SchemaProps{ - Description: "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", + Description: "durationInDays specifies how many hours Prometheus will retain metrics data. The JSON field name is durationInDays for wire compatibility with persisted objects; the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 360 (equivalent to 15 days). Minimum value is 1 hour.", Type: []string{"integer"}, Format: "int32", }, }, "sizeInGiB": { SchemaProps: spec.SchemaProps{ - Description: "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + Description: "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 2147483647 GiB (the maximum representable int32 value).", Type: []string{"integer"}, Format: "int32", }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 3c26ba31946..c45c5bf1975 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -25793,7 +25793,7 @@ "x-kubernetes-list-type": "map" }, "retention": { - "description": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + "description": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Retention" }, @@ -26230,12 +26230,12 @@ "type": "object", "properties": { "durationInDays": { - "description": "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", + "description": "durationInDays specifies how many hours Prometheus will retain metrics data. The JSON field name is durationInDays for wire compatibility with persisted objects; the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 360 (equivalent to 15 days). Minimum value is 1 hour.", "type": "integer", "format": "int32" }, "sizeInGiB": { - "description": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + "description": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 2147483647 GiB (the maximum representable int32 value).", "type": "integer", "format": "int32" } diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index b226cec1ce1..9a7a452e95b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4595,19 +4595,19 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). minProperties: 1 properties: durationInDays: description: |- - durationInDays specifies how many days Prometheus will retain metrics data. + durationInDays specifies how many hours Prometheus will retain metrics data. + The JSON field name is durationInDays for wire compatibility with persisted objects; + the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 15. - Minimum value is 1 day. - Maximum value is 365 days (1 year). + The default value is 360 (equivalent to 15 days). + Minimum value is 1 hour. format: int32 - maximum: 365 minimum: 1 type: integer sizeInGiB: @@ -4617,9 +4617,9 @@ spec: When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. - Maximum value is 16384 GiB (16 TiB). + Maximum value is 2147483647 GiB (the maximum representable int32 value). format: int32 - maximum: 16384 + maximum: 2147483647 minimum: 1 type: integer type: object From 602d6f4e49e40f952c207f62c72df78c7f5cdb1a Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Fri, 29 May 2026 12:55:17 +0200 Subject: [PATCH 2/9] Use Prometheus Operator retention strings in ClusterMonitoring API Replace int32 durationInDays and sizeInGiB with duration and size string fields validated by the upstream Prometheus Operator CRD patterns so CMO can pass values through without lossy conversion. Tombstone the previous fields and add integration tests for valid and invalid retention values. Co-authored-by: Cursor --- .../ClusterMonitoringConfig.yaml | 60 +++++++++++++++++++ config/v1alpha1/types_cluster_monitoring.go | 48 ++++++++++----- ...ig-operator_01_clustermonitorings.crd.yaml | 51 ++++++++++------ .../ClusterMonitoringConfig.yaml | 51 ++++++++++------ .../zz_generated.swagger_doc_generated.go | 8 +-- .../generated_openapi/zz_generated.openapi.go | 18 +++--- openapi/openapi.json | 16 +++-- ...ig-operator_01_clustermonitorings.crd.yaml | 51 ++++++++++------ 8 files changed, 209 insertions(+), 94 deletions(-) diff --git a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 91882606101..a8c93127950 100644 --- a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -2880,6 +2880,66 @@ tests: - key: "key2" operator: "Exists" effect: "NoExecute" + - name: Should accept prometheusConfig retention duration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "15h" + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "15h" + - name: Should accept prometheusConfig retention size + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "500MiB" + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "500MiB" + - name: Should reject invalid prometheusConfig retention duration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "15days" + expectedError: 'spec.prometheusConfig.retention.duration: Invalid value: "15days"' + - name: Should reject invalid prometheusConfig retention size + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "500Mi" + expectedError: 'spec.prometheusConfig.retention.size: Invalid value: "500Mi"' onUpdate: - name: Should allow updating KubeStateMetricsConfig resources initial: | diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index 6cf7d83b053..32715966414 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1377,7 +1377,7 @@ type PrometheusConfig struct { // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. - // When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). + // When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). // +optional Retention Retention `json:"retention,omitempty,omitzero"` // tolerations defines tolerations for the pods. @@ -2272,26 +2272,44 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 type Retention struct { - // durationInDays specifies how many hours Prometheus will retain metrics data. - // The JSON field name is durationInDays for wire compatibility with persisted objects; - // the value unit is hours (not days). + // durationInDays is tombstoned since the field was replaced by duration. + // DurationInDays int32 `json:"durationInDays,omitempty"` + + // sizeInGiB is tombstoned since the field was replaced by size. + // SizeInGiB int32 `json:"sizeInGiB,omitempty"` + + // duration is an optional field that specifies how long Prometheus retains metrics data. + // The format mimics the Prometheus Operator CRD retention field validation pattern so values + // can be passed through to the Prometheus custom resource without conversion. + // Valid values are Prometheus duration strings composed of non-negative integer components + // with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + // Must be at least 1 character and at most 64 characters. + // When set to "0", retention is disabled. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The default value is 360 (equivalent to 15 days). - // Minimum value is 1 hour. - // +kubebuilder:validation:Minimum=1 + // The current default value is `15d`. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:XValidation:rule=`self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$')`,message="must be a valid Prometheus duration string" // +optional - DurationInHours int32 `json:"durationInDays,omitempty"` - // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + Duration string `json:"duration,omitempty"` + + // size is an optional field that specifies the maximum storage size that Prometheus // can use for data blocks and the write-ahead log (WAL). - // When the limit is reached, Prometheus will delete oldest data first. + // The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values + // can be passed through to the Prometheus custom resource without conversion. + // Valid values are Prometheus byte-size strings with an optional decimal prefix and a + // unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + // (for example, "500MiB", "10GiB"). + // Must be at least 1 character and at most 32 characters. + // When set to "0", no size limit is enforced. + // When the limit is reached, Prometheus deletes oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - // Minimum value is 1 GiB. - // Maximum value is 2147483647 GiB (the maximum representable int32 value). - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=2147483647 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=32 + // +kubebuilder:validation:XValidation:rule=`self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$')`,message="must be a valid Prometheus byte-size string" // +optional - SizeInGiB int32 `json:"sizeInGiB,omitempty"` + Size string `json:"size,omitempty"` } // RelabelAction defines the action to perform in a relabeling rule. diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 9a7a452e95b..2bf021c9138 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4595,33 +4595,46 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). minProperties: 1 properties: - durationInDays: + duration: description: |- - durationInDays specifies how many hours Prometheus will retain metrics data. - The JSON field name is durationInDays for wire compatibility with persisted objects; - the value unit is hours (not days). + duration is an optional field that specifies how long Prometheus retains metrics data. + The format mimics the Prometheus Operator CRD retention field validation pattern so values + can be passed through to the Prometheus custom resource without conversion. + Valid values are Prometheus duration strings composed of non-negative integer components + with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Must be at least 1 character and at most 64 characters. + When set to "0", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 360 (equivalent to 15 days). - Minimum value is 1 hour. - format: int32 - minimum: 1 - type: integer - sizeInGiB: + The current default value is `15d`. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus duration string + rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') + size: description: |- - sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - When the limit is reached, Prometheus will delete oldest data first. + The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values + can be passed through to the Prometheus custom resource without conversion. + Valid values are Prometheus byte-size strings with an optional decimal prefix and a + unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + (for example, "500MiB", "10GiB"). + Must be at least 1 character and at most 32 characters. + When set to "0", no size limit is enforced. + When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - Minimum value is 1 GiB. - Maximum value is 2147483647 GiB (the maximum representable int32 value). - format: int32 - maximum: 2147483647 - minimum: 1 - type: integer + maxLength: 32 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus byte-size string + rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') type: object tolerations: description: |- diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 596cd1a2056..fd2f710a3d4 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -4595,33 +4595,46 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). minProperties: 1 properties: - durationInDays: + duration: description: |- - durationInDays specifies how many hours Prometheus will retain metrics data. - The JSON field name is durationInDays for wire compatibility with persisted objects; - the value unit is hours (not days). + duration is an optional field that specifies how long Prometheus retains metrics data. + The format mimics the Prometheus Operator CRD retention field validation pattern so values + can be passed through to the Prometheus custom resource without conversion. + Valid values are Prometheus duration strings composed of non-negative integer components + with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Must be at least 1 character and at most 64 characters. + When set to "0", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 360 (equivalent to 15 days). - Minimum value is 1 hour. - format: int32 - minimum: 1 - type: integer - sizeInGiB: + The current default value is `15d`. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus duration string + rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') + size: description: |- - sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - When the limit is reached, Prometheus will delete oldest data first. + The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values + can be passed through to the Prometheus custom resource without conversion. + Valid values are Prometheus byte-size strings with an optional decimal prefix and a + unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + (for example, "500MiB", "10GiB"). + Must be at least 1 character and at most 32 characters. + When set to "0", no size limit is enforced. + When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - Minimum value is 1 GiB. - Maximum value is 2147483647 GiB (the maximum representable int32 value). - format: int32 - maximum: 2147483647 - minimum: 1 - type: integer + maxLength: 32 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus byte-size string + rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') type: object tolerations: description: |- diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 1cd18827431..a23983bd9e0 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -529,7 +529,7 @@ var map_PrometheusConfig = map[string]string{ "queryLogFile": "queryLogFile specifies the file to which PromQL queries are logged. This setting can be either a filename, in which case the queries are saved to an `emptyDir` volume at `/var/log/prometheus`, or a full path to a location where an `emptyDir` volume will be mounted and the queries saved. Writing to `/dev/stderr`, `/dev/stdout` or `/dev/null` is supported, but writing to any other `/dev/` path is not supported. Relative paths are also not supported. By default, PromQL queries are not logged. Must be an absolute path starting with `/` or a simple filename without path separators. Must not contain consecutive slashes, end with a slash, or include '..' path traversal. Must contain only alphanumeric characters, '.', '_', '-', or '/'. Must be between 1 and 255 characters in length.", "remoteWrite": "remoteWrite defines the remote write configuration, including URL, authentication, and relabeling settings. Remote write allows Prometheus to send metrics it collects to external long-term storage systems. When omitted, no remote write endpoints are configured. When provided, at least one configuration must be specified (minimum 1, maximum 10 items). Entries must have unique names (name is the list key).", "resources": "resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit).", + "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", "collectionProfile": "collectionProfile defines the metrics collection profile that Prometheus uses to collect metrics from the platform components. Supported values are `Full` or `Minimal`. In the `Full` profile (default), Prometheus collects all metrics that are exposed by the platform components. In the `Minimal` profile, Prometheus only collects metrics necessary for the default platform alerts, recording rules, telemetry and console dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is `Full`.", @@ -662,9 +662,9 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { } var map_Retention = map[string]string{ - "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "durationInDays": "durationInDays specifies how many hours Prometheus will retain metrics data. The JSON field name is durationInDays for wire compatibility with persisted objects; the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 360 (equivalent to 15 days). Minimum value is 1 hour.", - "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 2147483647 GiB (the maximum representable int32 value).", + "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", + "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Must be at least 1 character and at most 64 characters. When set to \"0\", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", } func (Retention) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 65924ba9f73..f89a112443d 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -25931,7 +25931,7 @@ func schema_openshift_api_config_v1alpha1_PrometheusConfig(ref common.ReferenceC }, "retention": { SchemaProps: spec.SchemaProps{ - Description: "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit).", + Description: "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1alpha1.Retention"), }, @@ -26664,18 +26664,18 @@ func schema_openshift_api_config_v1alpha1_Retention(ref common.ReferenceCallback Description: "Retention configures how long Prometheus retains metrics data and how much storage it can use.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "durationInDays": { + "duration": { SchemaProps: spec.SchemaProps{ - Description: "durationInDays specifies how many hours Prometheus will retain metrics data. The JSON field name is durationInDays for wire compatibility with persisted objects; the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 360 (equivalent to 15 days). Minimum value is 1 hour.", - Type: []string{"integer"}, - Format: "int32", + Description: "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Must be at least 1 character and at most 64 characters. When set to \"0\", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + Type: []string{"string"}, + Format: "", }, }, - "sizeInGiB": { + "size": { SchemaProps: spec.SchemaProps{ - Description: "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 2147483647 GiB (the maximum representable int32 value).", - Type: []string{"integer"}, - Format: "int32", + Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + Type: []string{"string"}, + Format: "", }, }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index c45c5bf1975..a37c63605d0 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -25793,7 +25793,7 @@ "x-kubernetes-list-type": "map" }, "retention": { - "description": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit).", + "description": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Retention" }, @@ -26229,15 +26229,13 @@ "description": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", "type": "object", "properties": { - "durationInDays": { - "description": "durationInDays specifies how many hours Prometheus will retain metrics data. The JSON field name is durationInDays for wire compatibility with persisted objects; the value unit is hours (not days). Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 360 (equivalent to 15 days). Minimum value is 1 hour.", - "type": "integer", - "format": "int32" + "duration": { + "description": "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). When set to \"0\", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "type": "string" }, - "sizeInGiB": { - "description": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 2147483647 GiB (the maximum representable int32 value).", - "type": "integer", - "format": "int32" + "size": { + "description": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + "type": "string" } } }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index 9a7a452e95b..2bf021c9138 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4595,33 +4595,46 @@ spec: retention: description: |- retention configures how long Prometheus retains metrics data and how much storage it can use. - When omitted, the platform chooses reasonable defaults (currently 360 hours retention, no size limit). + When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). minProperties: 1 properties: - durationInDays: + duration: description: |- - durationInDays specifies how many hours Prometheus will retain metrics data. - The JSON field name is durationInDays for wire compatibility with persisted objects; - the value unit is hours (not days). + duration is an optional field that specifies how long Prometheus retains metrics data. + The format mimics the Prometheus Operator CRD retention field validation pattern so values + can be passed through to the Prometheus custom resource without conversion. + Valid values are Prometheus duration strings composed of non-negative integer components + with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Must be at least 1 character and at most 64 characters. + When set to "0", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 360 (equivalent to 15 days). - Minimum value is 1 hour. - format: int32 - minimum: 1 - type: integer - sizeInGiB: + The current default value is `15d`. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus duration string + rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') + size: description: |- - sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - When the limit is reached, Prometheus will delete oldest data first. + The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values + can be passed through to the Prometheus custom resource without conversion. + Valid values are Prometheus byte-size strings with an optional decimal prefix and a + unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB + (for example, "500MiB", "10GiB"). + Must be at least 1 character and at most 32 characters. + When set to "0", no size limit is enforced. + When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - Minimum value is 1 GiB. - Maximum value is 2147483647 GiB (the maximum representable int32 value). - format: int32 - maximum: 2147483647 - minimum: 1 - type: integer + maxLength: 32 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid Prometheus byte-size string + rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') type: object tolerations: description: |- From 68a8b0dbf332aaffb050f969c569b69059ceba73 Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Fri, 29 May 2026 16:08:18 +0200 Subject: [PATCH 3/9] Clarify retention duration semantics and fix tombstone comments Document that "0", "0d", and "0y" are equivalent zero durations while "0" remains canonical for disabling time-based retention. Recommend single-unit forms without adding stricter validation than the Prometheus Operator CRD. Expand tombstones with full original field comments using Former marker lines to avoid confusing kubebuilder code generation. Co-authored-by: Cursor --- config/v1alpha1/types_cluster_monitoring.go | 33 ++++++++++++++++--- ...ig-operator_01_clustermonitorings.crd.yaml | 9 +++-- .../ClusterMonitoringConfig.yaml | 9 +++-- .../zz_generated.swagger_doc_generated.go | 4 +-- .../generated_openapi/zz_generated.openapi.go | 4 +-- ...ig-operator_01_clustermonitorings.crd.yaml | 9 +++-- 6 files changed, 54 insertions(+), 14 deletions(-) diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index 32715966414..77bf6509311 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -2272,10 +2272,30 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 type Retention struct { - // durationInDays is tombstoned since the field was replaced by duration. + // TOMBSTONE: This field was tombstoned in favor of `duration`. + // --- + // durationInDays specifies how many days Prometheus will retain metrics data. + // Prometheus automatically deletes data older than this duration. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The default value is 15. + // Minimum value is 1 day. + // Maximum value is 365 days (1 year). + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=365 + // Former marker: optional // DurationInDays int32 `json:"durationInDays,omitempty"` - // sizeInGiB is tombstoned since the field was replaced by size. + // TOMBSTONE: This field was tombstoned in favor of `size`. + // --- + // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + // can use for data blocks and the write-ahead log (WAL). + // When the limit is reached, Prometheus will delete oldest data first. + // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + // Minimum value is 1 GiB. + // Maximum value is 16384 GiB (16 TiB). + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=16384 + // Former marker: optional // SizeInGiB int32 `json:"sizeInGiB,omitempty"` // duration is an optional field that specifies how long Prometheus retains metrics data. @@ -2283,8 +2303,12 @@ type Retention struct { // can be passed through to the Prometheus custom resource without conversion. // Valid values are Prometheus duration strings composed of non-negative integer components // with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + // Single-unit forms such as "15d" or "24h" are recommended over composite durations with + // zero-valued components (for example, "0y5d"), which are redundant but valid upstream. // Must be at least 1 character and at most 64 characters. - // When set to "0", retention is disabled. + // When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + // "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + // documented form for disabling time-based retention. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The current default value is `15d`. @@ -2302,7 +2326,8 @@ type Retention struct { // unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB // (for example, "500MiB", "10GiB"). // Must be at least 1 character and at most 32 characters. - // When set to "0", no size limit is enforced. + // When set to "0", no size limit is enforced. This matches the Prometheus Operator + // retentionSize field, where "0" is the canonical form for disabling size-based retention. // When the limit is reached, Prometheus deletes oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // +kubebuilder:validation:MinLength=1 diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 2bf021c9138..5b97fcc0ef1 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4605,8 +4605,12 @@ spec: can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Single-unit forms such as "15d" or "24h" are recommended over composite durations with + zero-valued components (for example, "0y5d"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. - When set to "0", retention is disabled. + When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`. @@ -4626,7 +4630,8 @@ spec: unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. + When set to "0", no size limit is enforced. This matches the Prometheus Operator + retentionSize field, where "0" is the canonical form for disabling size-based retention. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index fd2f710a3d4..449f84727ec 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -4605,8 +4605,12 @@ spec: can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Single-unit forms such as "15d" or "24h" are recommended over composite durations with + zero-valued components (for example, "0y5d"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. - When set to "0", retention is disabled. + When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`. @@ -4626,7 +4630,8 @@ spec: unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. + When set to "0", no size limit is enforced. This matches the Prometheus Operator + retentionSize field, where "0" is the canonical form for disabling size-based retention. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index a23983bd9e0..a6fb2455d5a 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -663,8 +663,8 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { var map_Retention = map[string]string{ "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Must be at least 1 character and at most 64 characters. When set to \"0\", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", - "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This matches the Prometheus Operator retentionSize field, where \"0\" is the canonical form for disabling size-based retention. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", } func (Retention) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index f89a112443d..05343c6e985 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -26666,14 +26666,14 @@ func schema_openshift_api_config_v1alpha1_Retention(ref common.ReferenceCallback Properties: map[string]spec.Schema{ "duration": { SchemaProps: spec.SchemaProps{ - Description: "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Must be at least 1 character and at most 64 characters. When set to \"0\", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + Description: "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", Type: []string{"string"}, Format: "", }, }, "size": { SchemaProps: spec.SchemaProps{ - Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This matches the Prometheus Operator retentionSize field, where \"0\" is the canonical form for disabling size-based retention. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", Type: []string{"string"}, Format: "", }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index 2bf021c9138..5b97fcc0ef1 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4605,8 +4605,12 @@ spec: can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). + Single-unit forms such as "15d" or "24h" are recommended over composite durations with + zero-valued components (for example, "0y5d"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. - When set to "0", retention is disabled. + When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", + "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical + documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`. @@ -4626,7 +4630,8 @@ spec: unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. + When set to "0", no size limit is enforced. This matches the Prometheus Operator + retentionSize field, where "0" is the canonical form for disabling size-based retention. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 From f6e2e92990b8cb9212f545945d95f999ec4d38af Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Fri, 29 May 2026 16:56:45 +0200 Subject: [PATCH 4/9] Fix retention API schema compatibility and validation tests Keep deprecated durationInDays and sizeInGiB alongside the new Prometheus duration/size fields with mutual exclusion validation to satisfy CRD schema checks. Revert transitMount to optional, trim user-facing godoc, and align integration test expectations with CEL validation error messages. Co-authored-by: Cursor --- .../VaultKMS.yaml | 21 ---------- config/v1/types_kmsencryption.go | 14 ++++--- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 13 ++++--- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 13 ++++--- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 13 ++++--- .../KMSEncryption.yaml | 13 ++++--- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../ClusterMonitoringConfig.yaml | 28 +++++++++++++- config/v1alpha1/types_cluster_monitoring.go | 31 +++++++-------- ...ig-operator_01_clustermonitorings.crd.yaml | 38 ++++++++++++++++--- .../ClusterMonitoringConfig.yaml | 38 ++++++++++++++++--- .../zz_generated.swagger_doc_generated.go | 8 ++-- .../generated_openapi/zz_generated.openapi.go | 22 +++++++++-- openapi/openapi.json | 4 +- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 13 ++++--- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 13 ++++--- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 13 ++++--- ...ig-operator_01_clustermonitorings.crd.yaml | 38 ++++++++++++++++--- 18 files changed, 226 insertions(+), 109 deletions(-) diff --git a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml index 37248a5956c..bfbed47e109 100644 --- a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml @@ -390,27 +390,6 @@ tests: transitKey: my-key expectedError: "appRole config is required when authentication type is AppRole" - # transitMount required field validation - - name: Should reject Vault KMS config without transitMount - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Vault - vault: - kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef - vaultAddress: https://vault.example.com:8200 - authentication: - type: AppRole - appRole: - secret: - name: vault-approle - transitKey: my-key - expectedError: "Required value" - # kmsPluginImage validation tests - name: Should reject kmsPluginImage with tag instead of digest initial: | diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 6b58d9da49b..9eddb26b808 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -193,10 +193,14 @@ type VaultKMSPluginConfig struct { // transitMount specifies the mount path of the Vault Transit engine. // - // The transit mount must be between 1 and 1024 characters, cannot start or - // end with a forward slash, cannot contain consecutive forward slashes, and - // must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - // period, underscore, tilde) and forward slashes as path separators. + // When omitted, this means the user has no opinion and the platform is left + // to choose a reasonable default. These defaults are subject to change over time. + // The current default is "transit". + // + // The transit mount must be between 1 and 1024 characters when specified, cannot start or + // end with a forward slash, cannot contain consecutive forward slashes, and must only contain + // RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + // slashes as path separators. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=1024 @@ -204,7 +208,7 @@ type VaultKMSPluginConfig struct { // +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="transitMount cannot end with a forward slash" // +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="transitMount cannot contain consecutive forward slashes" // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes" - // +required + // +optional TransitMount string `json:"transitMount,omitempty"` // transitKey specifies the name of the encryption key in Vault's Transit engine. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index b18ea746404..73318d58e5c 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index b8700ff3f16..270f9fa9fd0 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 6728a62ef56..7a0a5fd6eb2 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index 4bbdc315e3e..69ad0815ed3 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 1e9c65bf862..e3bcb346336 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2467,7 +2467,7 @@ var map_VaultKMSPluginConfig = map[string]string{ "vaultNamespace": "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. When this field is not set, no namespace is used.\n\nThe value must be between 1 and 4096 characters. The namespace cannot end with a forward slash, cannot contain spaces, and cannot be one of the reserved strings: root, sys, audit, auth, cubbyhole, or identity.", "tls": "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", "authentication": "authentication defines the authentication method used to authenticate with Vault.", - "transitMount": "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + "transitMount": "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", "transitKey": "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data.\n\nThe transit key must be between 1 and 512 characters, cannot contain forward slashes, and must only contain alphanumeric characters, hyphens, periods, and underscores.", } diff --git a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index a8c93127950..828f040af4b 100644 --- a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -2928,7 +2928,7 @@ tests: prometheusConfig: retention: duration: "15days" - expectedError: 'spec.prometheusConfig.retention.duration: Invalid value: "15days"' + expectedError: 'spec.prometheusConfig.retention.duration: Invalid value: "string": must be a valid Prometheus duration string' - name: Should reject invalid prometheusConfig retention size initial: | apiVersion: config.openshift.io/v1alpha1 @@ -2939,7 +2939,31 @@ tests: prometheusConfig: retention: size: "500Mi" - expectedError: 'spec.prometheusConfig.retention.size: Invalid value: "500Mi"' + expectedError: 'spec.prometheusConfig.retention.size: Invalid value: "string": must be a valid Prometheus byte-size string' + - name: Should reject prometheusConfig retention with both durationInDays and duration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + durationInDays: 15 + duration: "15d" + expectedError: 'durationInDays and duration cannot both be set' + - name: Should reject prometheusConfig retention with both sizeInGiB and size + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + sizeInGiB: 500 + size: "500GiB" + expectedError: 'sizeInGiB and size cannot both be set' onUpdate: - name: Should allow updating KubeStateMetricsConfig resources initial: | diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index 77bf6509311..79858ce332a 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -2271,36 +2271,34 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 +// +kubebuilder:validation:XValidation:rule="!has(self.durationInDays) || !has(self.duration)",message="durationInDays and duration cannot both be set" +// +kubebuilder:validation:XValidation:rule="!has(self.sizeInGiB) || !has(self.size)",message="sizeInGiB and size cannot both be set" type Retention struct { - // TOMBSTONE: This field was tombstoned in favor of `duration`. - // --- // durationInDays specifies how many days Prometheus will retain metrics data. + // Deprecated: use duration instead. durationInDays and duration cannot both be set. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The default value is 15. // Minimum value is 1 day. // Maximum value is 365 days (1 year). - // Former marker: kubebuilder:validation:Minimum=1 - // Former marker: kubebuilder:validation:Maximum=365 - // Former marker: optional - // DurationInDays int32 `json:"durationInDays,omitempty"` + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=365 + // +optional + DurationInDays int32 `json:"durationInDays,omitempty"` - // TOMBSTONE: This field was tombstoned in favor of `size`. - // --- // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus // can use for data blocks and the write-ahead log (WAL). + // Deprecated: use size instead. sizeInGiB and size cannot both be set. // When the limit is reached, Prometheus will delete oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // Minimum value is 1 GiB. // Maximum value is 16384 GiB (16 TiB). - // Former marker: kubebuilder:validation:Minimum=1 - // Former marker: kubebuilder:validation:Maximum=16384 - // Former marker: optional - // SizeInGiB int32 `json:"sizeInGiB,omitempty"` + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=16384 + // +optional + SizeInGiB int32 `json:"sizeInGiB,omitempty"` // duration is an optional field that specifies how long Prometheus retains metrics data. - // The format mimics the Prometheus Operator CRD retention field validation pattern so values - // can be passed through to the Prometheus custom resource without conversion. // Valid values are Prometheus duration strings composed of non-negative integer components // with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). // Single-unit forms such as "15d" or "24h" are recommended over composite durations with @@ -2320,14 +2318,11 @@ type Retention struct { // size is an optional field that specifies the maximum storage size that Prometheus // can use for data blocks and the write-ahead log (WAL). - // The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values - // can be passed through to the Prometheus custom resource without conversion. // Valid values are Prometheus byte-size strings with an optional decimal prefix and a // unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB // (for example, "500MiB", "10GiB"). // Must be at least 1 character and at most 32 characters. - // When set to "0", no size limit is enforced. This matches the Prometheus Operator - // retentionSize field, where "0" is the canonical form for disabling size-based retention. + // When set to "0", no size limit is enforced. // When the limit is reached, Prometheus deletes oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // +kubebuilder:validation:MinLength=1 diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 5b97fcc0ef1..afd6a273b19 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4601,8 +4601,6 @@ spec: duration: description: |- duration is an optional field that specifies how long Prometheus retains metrics data. - The format mimics the Prometheus Operator CRD retention field validation pattern so values - can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). Single-unit forms such as "15d" or "24h" are recommended over composite durations with @@ -4620,18 +4618,28 @@ spec: x-kubernetes-validations: - message: must be a valid Prometheus duration string rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') + durationInDays: + description: |- + durationInDays specifies how many days Prometheus will retain metrics data. + Deprecated: use duration instead. durationInDays and duration cannot both be set. + Prometheus automatically deletes data older than this duration. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The default value is 15. + Minimum value is 1 day. + Maximum value is 365 days (1 year). + format: int32 + maximum: 365 + minimum: 1 + type: integer size: description: |- size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values - can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. This matches the Prometheus Operator - retentionSize field, where "0" is the canonical form for disabling size-based retention. + When set to "0", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 @@ -4640,7 +4648,25 @@ spec: x-kubernetes-validations: - message: must be a valid Prometheus byte-size string rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') + sizeInGiB: + description: |- + sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + can use for data blocks and the write-ahead log (WAL). + Deprecated: use size instead. sizeInGiB and size cannot both be set. + When the limit is reached, Prometheus will delete oldest data first. + When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + Minimum value is 1 GiB. + Maximum value is 16384 GiB (16 TiB). + format: int32 + maximum: 16384 + minimum: 1 + type: integer type: object + x-kubernetes-validations: + - message: durationInDays and duration cannot both be set + rule: '!has(self.durationInDays) || !has(self.duration)' + - message: sizeInGiB and size cannot both be set + rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 449f84727ec..47540f0182b 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -4601,8 +4601,6 @@ spec: duration: description: |- duration is an optional field that specifies how long Prometheus retains metrics data. - The format mimics the Prometheus Operator CRD retention field validation pattern so values - can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). Single-unit forms such as "15d" or "24h" are recommended over composite durations with @@ -4620,18 +4618,28 @@ spec: x-kubernetes-validations: - message: must be a valid Prometheus duration string rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') + durationInDays: + description: |- + durationInDays specifies how many days Prometheus will retain metrics data. + Deprecated: use duration instead. durationInDays and duration cannot both be set. + Prometheus automatically deletes data older than this duration. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The default value is 15. + Minimum value is 1 day. + Maximum value is 365 days (1 year). + format: int32 + maximum: 365 + minimum: 1 + type: integer size: description: |- size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values - can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. This matches the Prometheus Operator - retentionSize field, where "0" is the canonical form for disabling size-based retention. + When set to "0", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 @@ -4640,7 +4648,25 @@ spec: x-kubernetes-validations: - message: must be a valid Prometheus byte-size string rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') + sizeInGiB: + description: |- + sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + can use for data blocks and the write-ahead log (WAL). + Deprecated: use size instead. sizeInGiB and size cannot both be set. + When the limit is reached, Prometheus will delete oldest data first. + When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + Minimum value is 1 GiB. + Maximum value is 16384 GiB (16 TiB). + format: int32 + maximum: 16384 + minimum: 1 + type: integer type: object + x-kubernetes-validations: + - message: durationInDays and duration cannot both be set + rule: '!has(self.durationInDays) || !has(self.duration)' + - message: sizeInGiB and size cannot both be set + rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index a6fb2455d5a..a4ac99216f2 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -662,9 +662,11 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { } var map_Retention = map[string]string{ - "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", - "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This matches the Prometheus Operator retentionSize field, where \"0\" is the canonical form for disabling size-based retention. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", + "durationInDays": "durationInDays specifies how many days Prometheus will retain metrics data. Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", + "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", } func (Retention) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 05343c6e985..bbb4bbaf802 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -22920,7 +22920,7 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal }, "transitMount": { SchemaProps: spec.SchemaProps{ - Description: "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + Description: "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", Type: []string{"string"}, Format: "", }, @@ -22933,7 +22933,7 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal }, }, }, - Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "transitMount", "transitKey"}, + Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "transitKey"}, }, }, Dependencies: []string{ @@ -26664,16 +26664,30 @@ func schema_openshift_api_config_v1alpha1_Retention(ref common.ReferenceCallback Description: "Retention configures how long Prometheus retains metrics data and how much storage it can use.", Type: []string{"object"}, Properties: map[string]spec.Schema{ + "durationInDays": { + SchemaProps: spec.SchemaProps{ + Description: "durationInDays specifies how many days Prometheus will retain metrics data. Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "sizeInGiB": { + SchemaProps: spec.SchemaProps{ + Description: "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + Type: []string{"integer"}, + Format: "int32", + }, + }, "duration": { SchemaProps: spec.SchemaProps{ - Description: "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + Description: "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", Type: []string{"string"}, Format: "", }, }, "size": { SchemaProps: spec.SchemaProps{ - Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This matches the Prometheus Operator retentionSize field, where \"0\" is the canonical form for disabling size-based retention. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", Type: []string{"string"}, Format: "", }, diff --git a/openapi/openapi.json b/openapi/openapi.json index a37c63605d0..cb92a0ae16b 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -26230,11 +26230,11 @@ "type": "object", "properties": { "duration": { - "description": "duration is an optional field that specifies how long Prometheus retains metrics data. The format mimics the Prometheus Operator CRD retention field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). When set to \"0\", retention is disabled. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "description": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", "type": "string" }, "size": { - "description": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + "description": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", "type": "string" } } diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index b18ea746404..73318d58e5c 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index b8700ff3f16..270f9fa9fd0 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 6728a62ef56..7a0a5fd6eb2 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -349,10 +349,14 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. These defaults are subject to change over time. + The current default is "transit". + + The transit mount must be between 1 and 1024 characters when specified, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and must only contain + RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward + slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -419,7 +423,6 @@ spec: - authentication - kmsPluginImage - transitKey - - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index 5b97fcc0ef1..afd6a273b19 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4601,8 +4601,6 @@ spec: duration: description: |- duration is an optional field that specifies how long Prometheus retains metrics data. - The format mimics the Prometheus Operator CRD retention field validation pattern so values - can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). Single-unit forms such as "15d" or "24h" are recommended over composite durations with @@ -4620,18 +4618,28 @@ spec: x-kubernetes-validations: - message: must be a valid Prometheus duration string rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') + durationInDays: + description: |- + durationInDays specifies how many days Prometheus will retain metrics data. + Deprecated: use duration instead. durationInDays and duration cannot both be set. + Prometheus automatically deletes data older than this duration. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The default value is 15. + Minimum value is 1 day. + Maximum value is 365 days (1 year). + format: int32 + maximum: 365 + minimum: 1 + type: integer size: description: |- size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - The format mimics the Prometheus Operator CRD retentionSize field validation pattern so values - can be passed through to the Prometheus custom resource without conversion. Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. This matches the Prometheus Operator - retentionSize field, where "0" is the canonical form for disabling size-based retention. + When set to "0", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 @@ -4640,7 +4648,25 @@ spec: x-kubernetes-validations: - message: must be a valid Prometheus byte-size string rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') + sizeInGiB: + description: |- + sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + can use for data blocks and the write-ahead log (WAL). + Deprecated: use size instead. sizeInGiB and size cannot both be set. + When the limit is reached, Prometheus will delete oldest data first. + When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + Minimum value is 1 GiB. + Maximum value is 16384 GiB (16 TiB). + format: int32 + maximum: 16384 + minimum: 1 + type: integer type: object + x-kubernetes-validations: + - message: durationInDays and duration cannot both be set + rule: '!has(self.durationInDays) || !has(self.duration)' + - message: sizeInGiB and size cannot both be set + rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. From a8a2c3390c8e69fdb48669332e64a4fadf4d065a Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Tue, 2 Jun 2026 19:55:57 +0200 Subject: [PATCH 5/9] Tombstone legacy retention fields and tighten duration/size validation Comment out durationInDays and sizeInGiB per v1alpha1 tombstoning conventions, and require "0" as the sole canonical form to disable retention. Reject zero-valued unit strings such as "0d" or "0MiB" while keeping positive Prometheus duration and byte-size values valid. Co-authored-by: Cursor --- .../ClusterMonitoringConfig.yaml | 78 ++++++++++++++++--- config/v1alpha1/types_cluster_monitoring.go | 49 ++++++------ ...ig-operator_01_clustermonitorings.crd.yaml | 63 ++++----------- .../ClusterMonitoringConfig.yaml | 63 ++++----------- .../zz_generated.swagger_doc_generated.go | 8 +- .../generated_openapi/zz_generated.openapi.go | 18 +---- ...ig-operator_01_clustermonitorings.crd.yaml | 63 ++++----------- 7 files changed, 148 insertions(+), 194 deletions(-) diff --git a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 828f040af4b..f1e64d39cde 100644 --- a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -2918,6 +2918,44 @@ tests: prometheusConfig: retention: size: "500MiB" + - name: Should accept prometheusConfig retention duration of zero to disable time-based retention + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "0" + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "0" + - name: Should accept prometheusConfig retention size of zero to disable size-based retention + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "0" + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + size: "0" - name: Should reject invalid prometheusConfig retention duration initial: | apiVersion: config.openshift.io/v1alpha1 @@ -2928,7 +2966,29 @@ tests: prometheusConfig: retention: duration: "15days" - expectedError: 'spec.prometheusConfig.retention.duration: Invalid value: "string": must be a valid Prometheus duration string' + expectedError: 'must be "0" to disable time-based retention, or a duration string with only positive unit values' + - name: Should reject prometheusConfig retention duration with zero-valued unit + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "0d" + expectedError: 'must be "0" to disable time-based retention, or a duration string with only positive unit values' + - name: Should reject prometheusConfig retention duration with zero-valued composite unit + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterMonitoring + spec: + userDefined: + mode: "Disabled" + prometheusConfig: + retention: + duration: "0y5d" + expectedError: 'must be "0" to disable time-based retention, or a duration string with only positive unit values' - name: Should reject invalid prometheusConfig retention size initial: | apiVersion: config.openshift.io/v1alpha1 @@ -2939,8 +2999,8 @@ tests: prometheusConfig: retention: size: "500Mi" - expectedError: 'spec.prometheusConfig.retention.size: Invalid value: "string": must be a valid Prometheus byte-size string' - - name: Should reject prometheusConfig retention with both durationInDays and duration + expectedError: 'must be "0" to disable size-based retention, or a positive byte-size string' + - name: Should reject prometheusConfig retention size with zero-valued unit initial: | apiVersion: config.openshift.io/v1alpha1 kind: ClusterMonitoring @@ -2949,10 +3009,9 @@ tests: mode: "Disabled" prometheusConfig: retention: - durationInDays: 15 - duration: "15d" - expectedError: 'durationInDays and duration cannot both be set' - - name: Should reject prometheusConfig retention with both sizeInGiB and size + size: "0MiB" + expectedError: 'must be "0" to disable size-based retention, or a positive byte-size string' + - name: Should reject prometheusConfig retention size with zero bytes unit initial: | apiVersion: config.openshift.io/v1alpha1 kind: ClusterMonitoring @@ -2961,9 +3020,8 @@ tests: mode: "Disabled" prometheusConfig: retention: - sizeInGiB: 500 - size: "500GiB" - expectedError: 'sizeInGiB and size cannot both be set' + size: "0B" + expectedError: 'must be "0" to disable size-based retention, or a positive byte-size string' onUpdate: - name: Should allow updating KubeStateMetricsConfig resources initial: | diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index 79858ce332a..64aed76c8d0 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -2271,63 +2271,62 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 -// +kubebuilder:validation:XValidation:rule="!has(self.durationInDays) || !has(self.duration)",message="durationInDays and duration cannot both be set" -// +kubebuilder:validation:XValidation:rule="!has(self.sizeInGiB) || !has(self.size)",message="sizeInGiB and size cannot both be set" type Retention struct { + // TOMBSTONE: This field has been tombstoned in favor of the `duration` field. This tombstone will be dropped when promoting this API to v1. + // --- // durationInDays specifies how many days Prometheus will retain metrics data. - // Deprecated: use duration instead. durationInDays and duration cannot both be set. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The default value is 15. // Minimum value is 1 day. // Maximum value is 365 days (1 year). - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=365 - // +optional - DurationInDays int32 `json:"durationInDays,omitempty"` + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=365 + // Former marker: optional + // DurationInDays int32 `json:"durationInDays,omitempty"` + // TOMBSTONE: This field has been tombstoned in favor of the `size` field. This tombstone will be dropped when promoting this API to v1. + // --- // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus // can use for data blocks and the write-ahead log (WAL). - // Deprecated: use size instead. sizeInGiB and size cannot both be set. // When the limit is reached, Prometheus will delete oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // Minimum value is 1 GiB. // Maximum value is 16384 GiB (16 TiB). - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=16384 - // +optional - SizeInGiB int32 `json:"sizeInGiB,omitempty"` + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=16384 + // Former marker: optional + // SizeInGiB int32 `json:"sizeInGiB,omitempty"` // duration is an optional field that specifies how long Prometheus retains metrics data. - // Valid values are Prometheus duration strings composed of non-negative integer components - // with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). - // Single-unit forms such as "15d" or "24h" are recommended over composite durations with - // zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + // Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + // (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + // Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. // Must be at least 1 character and at most 64 characters. - // When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", - // "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical - // documented form for disabling time-based retention. + // When set to "0", time-based retention is disabled. This is the only supported form for disabling + // time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The current default value is `15d`. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=64 - // +kubebuilder:validation:XValidation:rule=`self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$')`,message="must be a valid Prometheus duration string" + // +kubebuilder:validation:XValidation:rule=`self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)'))`,message=`must be "0" to disable time-based retention, or a duration string with only positive unit values` // +optional Duration string `json:"duration,omitempty"` // size is an optional field that specifies the maximum storage size that Prometheus // can use for data blocks and the write-ahead log (WAL). - // Valid values are Prometheus byte-size strings with an optional decimal prefix and a - // unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB - // (for example, "500MiB", "10GiB"). + // Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + // TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + // The numeric value must be greater than zero. // Must be at least 1 character and at most 32 characters. - // When set to "0", no size limit is enforced. + // When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + // retention; other zero-size representations such as "0B" or "0MiB" are rejected. // When the limit is reached, Prometheus deletes oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=32 - // +kubebuilder:validation:XValidation:rule=`self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$')`,message="must be a valid Prometheus byte-size string" + // +kubebuilder:validation:XValidation:rule=`self == "0" || self.matches('^([1-9][0-9]*([.][0-9]+)?|[0-9]*[.][1-9][0-9]*)((K|M|G|T|E|P)i?)?B$')`,message=`must be "0" to disable size-based retention, or a positive byte-size string` // +optional Size string `json:"size,omitempty"` } diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index afd6a273b19..833324b6e5c 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4601,14 +4601,12 @@ spec: duration: description: |- duration is an optional field that specifies how long Prometheus retains metrics data. - Valid values are Prometheus duration strings composed of non-negative integer components - with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). - Single-unit forms such as "15d" or "24h" are recommended over composite durations with - zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. - When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", - "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical - documented form for disabling time-based retention. + When set to "0", time-based retention is disabled. This is the only supported form for disabling + time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`. @@ -4616,57 +4614,30 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: must be a valid Prometheus duration string - rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') - durationInDays: - description: |- - durationInDays specifies how many days Prometheus will retain metrics data. - Deprecated: use duration instead. durationInDays and duration cannot both be set. - Prometheus automatically deletes data older than this duration. - When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 15. - Minimum value is 1 day. - Maximum value is 365 days (1 year). - format: int32 - maximum: 365 - minimum: 1 - type: integer + - message: must be "0" to disable time-based retention, or + a duration string with only positive unit values + rule: self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') + && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)')) size: description: |- size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - Valid values are Prometheus byte-size strings with an optional decimal prefix and a - unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB - (for example, "500MiB", "10GiB"). + Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. + When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + retention; other zero-size representations such as "0B" or "0MiB" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 minLength: 1 type: string x-kubernetes-validations: - - message: must be a valid Prometheus byte-size string - rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') - sizeInGiB: - description: |- - sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus - can use for data blocks and the write-ahead log (WAL). - Deprecated: use size instead. sizeInGiB and size cannot both be set. - When the limit is reached, Prometheus will delete oldest data first. - When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - Minimum value is 1 GiB. - Maximum value is 16384 GiB (16 TiB). - format: int32 - maximum: 16384 - minimum: 1 - type: integer + - message: must be "0" to disable size-based retention, or + a positive byte-size string + rule: self == "0" || self.matches('^([1-9][0-9]*([.][0-9]+)?|[0-9]*[.][1-9][0-9]*)((K|M|G|T|E|P)i?)?B$') type: object - x-kubernetes-validations: - - message: durationInDays and duration cannot both be set - rule: '!has(self.durationInDays) || !has(self.duration)' - - message: sizeInGiB and size cannot both be set - rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 47540f0182b..331c227d3fc 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -4601,14 +4601,12 @@ spec: duration: description: |- duration is an optional field that specifies how long Prometheus retains metrics data. - Valid values are Prometheus duration strings composed of non-negative integer components - with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). - Single-unit forms such as "15d" or "24h" are recommended over composite durations with - zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. - When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", - "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical - documented form for disabling time-based retention. + When set to "0", time-based retention is disabled. This is the only supported form for disabling + time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`. @@ -4616,57 +4614,30 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: must be a valid Prometheus duration string - rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') - durationInDays: - description: |- - durationInDays specifies how many days Prometheus will retain metrics data. - Deprecated: use duration instead. durationInDays and duration cannot both be set. - Prometheus automatically deletes data older than this duration. - When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 15. - Minimum value is 1 day. - Maximum value is 365 days (1 year). - format: int32 - maximum: 365 - minimum: 1 - type: integer + - message: must be "0" to disable time-based retention, or + a duration string with only positive unit values + rule: self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') + && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)')) size: description: |- size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - Valid values are Prometheus byte-size strings with an optional decimal prefix and a - unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB - (for example, "500MiB", "10GiB"). + Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. + When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + retention; other zero-size representations such as "0B" or "0MiB" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 minLength: 1 type: string x-kubernetes-validations: - - message: must be a valid Prometheus byte-size string - rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') - sizeInGiB: - description: |- - sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus - can use for data blocks and the write-ahead log (WAL). - Deprecated: use size instead. sizeInGiB and size cannot both be set. - When the limit is reached, Prometheus will delete oldest data first. - When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - Minimum value is 1 GiB. - Maximum value is 16384 GiB (16 TiB). - format: int32 - maximum: 16384 - minimum: 1 - type: integer + - message: must be "0" to disable size-based retention, or + a positive byte-size string + rule: self == "0" || self.matches('^([1-9][0-9]*([.][0-9]+)?|[0-9]*[.][1-9][0-9]*)((K|M|G|T|E|P)i?)?B$') type: object - x-kubernetes-validations: - - message: durationInDays and duration cannot both be set - rule: '!has(self.durationInDays) || !has(self.duration)' - - message: sizeInGiB and size cannot both be set - rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index a4ac99216f2..2194d79def9 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -662,11 +662,9 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { } var map_Retention = map[string]string{ - "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "durationInDays": "durationInDays specifies how many days Prometheus will retain metrics data. Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", - "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", - "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", - "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", + "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", or \"5d1h30m\"). Each unit value must be a positive integer. Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. This is the only supported form for disabling time-based retention; other zero-duration representations such as \"0d\", \"0h\", or \"0y\" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This is the only supported form for disabling size-based retention; other zero-size representations such as \"0B\" or \"0MiB\" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", } func (Retention) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index bbb4bbaf802..33c3118d333 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -26664,30 +26664,16 @@ func schema_openshift_api_config_v1alpha1_Retention(ref common.ReferenceCallback Description: "Retention configures how long Prometheus retains metrics data and how much storage it can use.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "durationInDays": { - SchemaProps: spec.SchemaProps{ - Description: "durationInDays specifies how many days Prometheus will retain metrics data. Deprecated: use duration instead. durationInDays and duration cannot both be set. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", - Type: []string{"integer"}, - Format: "int32", - }, - }, - "sizeInGiB": { - SchemaProps: spec.SchemaProps{ - Description: "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). Deprecated: use size instead. sizeInGiB and size cannot both be set. When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", - Type: []string{"integer"}, - Format: "int32", - }, - }, "duration": { SchemaProps: spec.SchemaProps{ - Description: "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + Description: "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", or \"5d1h30m\"). Each unit value must be a positive integer. Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. This is the only supported form for disabling time-based retention; other zero-duration representations such as \"0d\", \"0h\", or \"0y\" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", Type: []string{"string"}, Format: "", }, }, "size": { SchemaProps: spec.SchemaProps{ - Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + Description: "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This is the only supported form for disabling size-based retention; other zero-size representations such as \"0B\" or \"0MiB\" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", Type: []string{"string"}, Format: "", }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index afd6a273b19..833324b6e5c 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4601,14 +4601,12 @@ spec: duration: description: |- duration is an optional field that specifies how long Prometheus retains metrics data. - Valid values are Prometheus duration strings composed of non-negative integer components - with unit suffixes y, w, d, h, m, s, or ms (for example, "15d", "24h", "15h"). - Single-unit forms such as "15d" or "24h" are recommended over composite durations with - zero-valued components (for example, "0y5d"), which are redundant but valid upstream. + Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. - When set to "0", time-based retention is disabled. Other zero-duration forms such as "0d", - "0h", or "0y" are semantically equivalent in Prometheus parsing, but "0" is the canonical - documented form for disabling time-based retention. + When set to "0", time-based retention is disabled. This is the only supported form for disabling + time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`. @@ -4616,57 +4614,30 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: must be a valid Prometheus duration string - rule: self.matches('^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$') - durationInDays: - description: |- - durationInDays specifies how many days Prometheus will retain metrics data. - Deprecated: use duration instead. durationInDays and duration cannot both be set. - Prometheus automatically deletes data older than this duration. - When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The default value is 15. - Minimum value is 1 day. - Maximum value is 365 days (1 year). - format: int32 - maximum: 365 - minimum: 1 - type: integer + - message: must be "0" to disable time-based retention, or + a duration string with only positive unit values + rule: self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') + && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)')) size: description: |- size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). - Valid values are Prometheus byte-size strings with an optional decimal prefix and a - unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB - (for example, "500MiB", "10GiB"). + Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. - When set to "0", no size limit is enforced. + When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + retention; other zero-size representations such as "0B" or "0MiB" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. maxLength: 32 minLength: 1 type: string x-kubernetes-validations: - - message: must be a valid Prometheus byte-size string - rule: self.matches('^(0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$') - sizeInGiB: - description: |- - sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus - can use for data blocks and the write-ahead log (WAL). - Deprecated: use size instead. sizeInGiB and size cannot both be set. - When the limit is reached, Prometheus will delete oldest data first. - When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - Minimum value is 1 GiB. - Maximum value is 16384 GiB (16 TiB). - format: int32 - maximum: 16384 - minimum: 1 - type: integer + - message: must be "0" to disable size-based retention, or + a positive byte-size string + rule: self == "0" || self.matches('^([1-9][0-9]*([.][0-9]+)?|[0-9]*[.][1-9][0-9]*)((K|M|G|T|E|P)i?)?B$') type: object - x-kubernetes-validations: - - message: durationInDays and duration cannot both be set - rule: '!has(self.durationInDays) || !has(self.duration)' - - message: sizeInGiB and size cannot both be set - rule: '!has(self.sizeInGiB) || !has(self.size)' tolerations: description: |- tolerations defines tolerations for the pods. From c67898b00c360f16446d516926a1cf8eeb21aa84 Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Wed, 3 Jun 2026 16:44:44 +0200 Subject: [PATCH 6/9] fix review comments Signed-off-by: Mario Fernandez --- .../VaultKMS.yaml | 34 ------------------- config/v1alpha1/types_cluster_monitoring.go | 2 +- ...ig-operator_01_clustermonitorings.crd.yaml | 3 +- .../ClusterMonitoringConfig.yaml | 3 +- openapi/openapi.json | 7 ++-- ...ig-operator_01_clustermonitorings.crd.yaml | 3 +- 6 files changed, 7 insertions(+), 45 deletions(-) diff --git a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml index bfbed47e109..34d37142fef 100644 --- a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml @@ -23,7 +23,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -43,7 +42,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key - name: Should accept kmsPluginImage with simple two-level path like quay.io/vault/kms-plugin @@ -63,7 +61,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -83,7 +80,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key - name: Should be able to create with full Vault KMS Plugin config including all optional fields @@ -154,7 +150,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -174,7 +169,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key - name: Should accept kmsPluginImage with deep multi-level namespace path @@ -194,7 +188,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -214,7 +207,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-encryption-key # RFC 3986 unreserved character tests @@ -315,7 +307,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: encryption.key.v1 expected: | apiVersion: config.openshift.io/v1 @@ -335,7 +326,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: encryption.key.v1 - name: Should reject transitKey with tilde character @@ -355,7 +345,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: key~backup expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" @@ -386,7 +375,6 @@ tests: vaultAddress: https://vault.example.com:8200 authentication: type: AppRole - transitMount: transit transitKey: my-key expectedError: "appRole config is required when authentication type is AppRole" @@ -408,7 +396,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "the OCI Image reference must end with a valid '@sha256:' suffix" @@ -429,7 +416,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "the OCI Image name should follow the host[:port][/namespace]/name format" @@ -450,7 +436,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" @@ -472,7 +457,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "must use the 'https' scheme" @@ -493,7 +477,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "must not contain a path" @@ -514,7 +497,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "must not have a query" @@ -535,7 +517,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "must not have a fragment" @@ -556,7 +537,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "must not have user info" @@ -579,7 +559,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot end with a forward slash" @@ -601,7 +580,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot contain spaces" @@ -623,7 +601,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -645,7 +622,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -667,7 +643,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -689,7 +664,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -711,7 +685,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -733,7 +706,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -840,7 +812,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my encryption key expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" @@ -861,7 +832,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my/key expectedError: "transitKey cannot contain forward slashes" @@ -903,7 +873,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my@key expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" @@ -927,7 +896,6 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "serverName must be a valid DNS hostname" @@ -949,7 +917,6 @@ tests: appRole: secret: name: invalid_secret_name! - transitMount: transit transitKey: my-key expectedError: "name must be a valid DNS subdomain name" @@ -973,6 +940,5 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "name must be a valid DNS subdomain name" diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index 64aed76c8d0..ca2f0216a94 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -2310,7 +2310,7 @@ type Retention struct { // The current default value is `15d`. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=64 - // +kubebuilder:validation:XValidation:rule=`self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)'))`,message=`must be "0" to disable time-based retention, or a duration string with only positive unit values` + // +kubebuilder:validation:XValidation:rule=`self == "0" || self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$')`,message=`must be "0" to disable time-based retention, or a duration string with only positive unit values` // +optional Duration string `json:"duration,omitempty"` diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 833324b6e5c..1d541afc757 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4616,8 +4616,7 @@ spec: x-kubernetes-validations: - message: must be "0" to disable time-based retention, or a duration string with only positive unit values - rule: self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') - && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)')) + rule: self == "0" || self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') size: description: |- size is an optional field that specifies the maximum storage size that Prometheus diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 331c227d3fc..2b47bb31e70 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -4616,8 +4616,7 @@ spec: x-kubernetes-validations: - message: must be "0" to disable time-based retention, or a duration string with only positive unit values - rule: self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') - && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)')) + rule: self == "0" || self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') size: description: |- size is an optional field that specifies the maximum storage size that Prometheus diff --git a/openapi/openapi.json b/openapi/openapi.json index cb92a0ae16b..7988bf01da4 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -23981,7 +23981,6 @@ "kmsPluginImage", "vaultAddress", "authentication", - "transitMount", "transitKey" ], "properties": { @@ -24004,7 +24003,7 @@ "type": "string" }, "transitMount": { - "description": "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + "description": "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", "type": "string" }, "vaultAddress": { @@ -26230,11 +26229,11 @@ "type": "object", "properties": { "duration": { - "description": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus duration strings composed of non-negative integer components with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", \"15h\"). Single-unit forms such as \"15d\" or \"24h\" are recommended over composite durations with zero-valued components (for example, \"0y5d\"), which are redundant but valid upstream. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. Other zero-duration forms such as \"0d\", \"0h\", or \"0y\" are semantically equivalent in Prometheus parsing, but \"0\" is the canonical documented form for disabling time-based retention. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "description": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", or \"5d1h30m\"). Each unit value must be a positive integer. Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. This is the only supported form for disabling time-based retention; other zero-duration representations such as \"0d\", \"0h\", or \"0y\" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", "type": "string" }, "size": { - "description": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are Prometheus byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", + "description": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This is the only supported form for disabling size-based retention; other zero-size representations such as \"0B\" or \"0MiB\" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", "type": "string" } } diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index 833324b6e5c..1d541afc757 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -4616,8 +4616,7 @@ spec: x-kubernetes-validations: - message: must be "0" to disable time-based retention, or a duration string with only positive unit values - rule: self == "0" || (self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') - && self.matches('[1-9][0-9]*(ms|y|w|d|h|m|s)')) + rule: self == "0" || self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$') size: description: |- size is an optional field that specifies the maximum storage size that Prometheus From d4cc57b47cf97c7e1dc6b7ab035d0ec7177f8667 Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Thu, 4 Jun 2026 17:35:06 +0200 Subject: [PATCH 7/9] Revert unrelated KMS changes to match master Restore types_kmsencryption.go and Vault/KMS integration tests to master, and regenerate config/v1 CRDs and OpenAPI so retention PR no longer includes accidental transitMount API changes. Co-authored-by: Cursor --- .../tests/apiservers.config.openshift.io/KMSEncryption.yaml | 1 - config/v1/types_kmsencryption.go | 4 ++-- ..._10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml | 4 ++-- ...config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml | 4 ++-- ...onfig-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml | 4 ++-- .../apiservers.config.openshift.io/KMSEncryption.yaml | 4 ++-- config/v1/zz_generated.swagger_doc_generated.go | 4 ++-- openapi/generated_openapi/zz_generated.openapi.go | 4 ++-- ..._10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml | 4 ++-- ...config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml | 4 ++-- ...onfig-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml | 4 ++-- 11 files changed, 20 insertions(+), 21 deletions(-) diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml index d4179765b2e..25a9afb6206 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -76,6 +76,5 @@ tests: appRole: secret: name: vault-approle - transitMount: transit transitKey: my-key expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 9eddb26b808..67e572b5469 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -114,7 +114,7 @@ const ( type VaultAppRoleAuthentication struct { // secret references a secret in the openshift-config namespace containing // the AppRole credentials used to authenticate with Vault. - // The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + // The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. // // +required Secret VaultSecretReference `json:"secret,omitzero"` @@ -230,7 +230,7 @@ type VaultKMSPluginConfig struct { type VaultTLSConfig struct { // caBundle references a ConfigMap in the openshift-config namespace containing // the CA certificate bundle used to verify the TLS connection to the Vault server. - // The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + // The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". // When this field is not set, the system's trusted CA certificates are used. // // The namespace for the ConfigMap is openshift-config. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 73318d58e5c..68cf4c061c1 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 270f9fa9fd0..abb82549df2 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 7a0a5fd6eb2..66fedd0d874 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index 69ad0815ed3..3f832fee66c 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index e3bcb346336..0301977ce3e 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2434,7 +2434,7 @@ func (KMSPluginConfig) SwaggerDoc() map[string]string { var map_VaultAppRoleAuthentication = map[string]string{ "": "VaultAppRoleAuthentication defines the configuration for AppRole authentication with Vault.", - "secret": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The referenced Secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", + "secret": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", } func (VaultAppRoleAuthentication) SwaggerDoc() map[string]string { @@ -2486,7 +2486,7 @@ func (VaultSecretReference) SwaggerDoc() map[string]string { var map_VaultTLSConfig = map[string]string{ "": "VaultTLSConfig contains TLS configuration for connecting to Vault.", - "caBundle": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The referenced ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", + "caBundle": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", "serverName": "serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. This is useful when the Vault server's hostname doesn't match its TLS certificate. When this field is not set, the hostname from vaultAddress is used for SNI.\n\nThe value must be a valid DNS hostname: it must contain no more than 253 characters, contain only lowercase alphanumeric characters, '-' or '.', and start and end with an alphanumeric character.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 33c3118d333..0c615c5c082 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -22799,7 +22799,7 @@ func schema_openshift_api_config_v1_VaultAppRoleAuthentication(ref common.Refere Properties: map[string]spec.Schema{ "secret": { SchemaProps: spec.SchemaProps{ - Description: "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The referenced Secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", + Description: "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.VaultSecretReference"), }, @@ -22971,7 +22971,7 @@ func schema_openshift_api_config_v1_VaultTLSConfig(ref common.ReferenceCallback) Properties: map[string]spec.Schema{ "caBundle": { SchemaProps: spec.SchemaProps{ - Description: "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The referenced ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", + Description: "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.VaultConfigMapReference"), }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 73318d58e5c..68cf4c061c1 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 270f9fa9fd0..abb82549df2 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 7a0a5fd6eb2..66fedd0d874 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. From 94f7c093c1a1787d99d7a4e88e3cc07e2c7c2e0f Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Thu, 4 Jun 2026 18:23:59 +0200 Subject: [PATCH 8/9] Drop unrelated apiservers KMS test changes from retention PR Restore KMSEncryption.yaml and VaultKMS.yaml to match the rebase base so this PR no longer modifies Vault KMS integration tests. Co-authored-by: Cursor --- .../KMSEncryption.yaml | 1 + .../VaultKMS.yaml | 55 +++++++++++++++++++ openapi/openapi.json | 44 ++++++++++----- 3 files changed, 87 insertions(+), 13 deletions(-) diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml index 25a9afb6206..d4179765b2e 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -76,5 +76,6 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" diff --git a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml index 34d37142fef..37248a5956c 100644 --- a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml @@ -23,6 +23,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -42,6 +43,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key - name: Should accept kmsPluginImage with simple two-level path like quay.io/vault/kms-plugin @@ -61,6 +63,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -80,6 +83,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key - name: Should be able to create with full Vault KMS Plugin config including all optional fields @@ -150,6 +154,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -169,6 +174,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key - name: Should accept kmsPluginImage with deep multi-level namespace path @@ -188,6 +194,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key expected: | apiVersion: config.openshift.io/v1 @@ -207,6 +214,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-encryption-key # RFC 3986 unreserved character tests @@ -307,6 +315,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: encryption.key.v1 expected: | apiVersion: config.openshift.io/v1 @@ -326,6 +335,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: encryption.key.v1 - name: Should reject transitKey with tilde character @@ -345,6 +355,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: key~backup expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" @@ -375,9 +386,31 @@ tests: vaultAddress: https://vault.example.com:8200 authentication: type: AppRole + transitMount: transit transitKey: my-key expectedError: "appRole config is required when authentication type is AppRole" + # transitMount required field validation + - name: Should reject Vault KMS config without transitMount + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + transitKey: my-key + expectedError: "Required value" + # kmsPluginImage validation tests - name: Should reject kmsPluginImage with tag instead of digest initial: | @@ -396,6 +429,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "the OCI Image reference must end with a valid '@sha256:' suffix" @@ -416,6 +450,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "the OCI Image name should follow the host[:port][/namespace]/name format" @@ -436,6 +471,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" @@ -457,6 +493,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "must use the 'https' scheme" @@ -477,6 +514,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "must not contain a path" @@ -497,6 +535,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "must not have a query" @@ -517,6 +556,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "must not have a fragment" @@ -537,6 +577,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "must not have user info" @@ -559,6 +600,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot end with a forward slash" @@ -580,6 +622,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot contain spaces" @@ -601,6 +644,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -622,6 +666,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -643,6 +688,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -664,6 +710,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -685,6 +732,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -706,6 +754,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "vaultNamespace cannot be a reserved string" @@ -812,6 +861,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my encryption key expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" @@ -832,6 +882,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my/key expectedError: "transitKey cannot contain forward slashes" @@ -873,6 +924,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my@key expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" @@ -896,6 +948,7 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "serverName must be a valid DNS hostname" @@ -917,6 +970,7 @@ tests: appRole: secret: name: invalid_secret_name! + transitMount: transit transitKey: my-key expectedError: "name must be a valid DNS subdomain name" @@ -940,5 +994,6 @@ tests: appRole: secret: name: vault-approle + transitMount: transit transitKey: my-key expectedError: "name must be a valid DNS subdomain name" diff --git a/openapi/openapi.json b/openapi/openapi.json index 7988bf01da4..e817ba5d736 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -17919,6 +17919,15 @@ }, "x-kubernetes-list-type": "atomic" }, + "groups": { + "description": "groups is an optional, ordered field used to specify the supported groups (formerly known as elliptic curves) that are used during the TLS handshake. The order of the groups represents a suggested preference, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one and at most 7 groups, and each group must be unique.\n\nFor example, to use X25519 and secp256r1 (yaml):\n\n groups:\n - X25519\n - secp256r1", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "minTLSVersion": { "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", @@ -23075,6 +23084,15 @@ }, "x-kubernetes-list-type": "atomic" }, + "groups": { + "description": "groups is an optional, ordered field used to specify the supported groups (formerly known as elliptic curves) that are used during the TLS handshake. The order of the groups represents a suggested preference, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one and at most 7 groups, and each group must be unique.\n\nFor example, to use X25519 and secp256r1 (yaml):\n\n groups:\n - X25519\n - secp256r1", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "minTLSVersion": { "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", @@ -23087,23 +23105,23 @@ "type": "object", "properties": { "custom": { - "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", + "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe supported groups list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile" }, "intermediate": { - "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", + "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", "$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile" }, "modern": { - "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile" }, "old": { - "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", "$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile" }, "type": { - "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe cipher and groups lists in these profiles are based on version 5.8 of the Mozilla Server Side TLS configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.8.json\n\nThe groups are listed in suggested preference order, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Note that X25519MLKEM768 is a post-quantum hybrid group that is not FIPS-approved and should be ignored by components running in FIPS mode.\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", "type": "string", "default": "" } @@ -23929,7 +23947,7 @@ ], "properties": { "secret": { - "description": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The referenced Secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", + "description": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.VaultSecretReference" } @@ -24034,7 +24052,7 @@ "type": "object", "properties": { "caBundle": { - "description": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The referenced ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", + "description": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.VaultConfigMapReference" }, @@ -24849,7 +24867,7 @@ "type": "object", "properties": { "additionalResourceLabels": { - "description": "additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics in kube-state-metrics, in addition to the default set. Currently, only \"Jobs\" and \"CronJobs\" resources are supported due to cardinality concerns. Each entry specifies a resource name and a list of Kubernetes label names to expose. Use \"*\" in the labels list to expose all labels for a given resource. additionalResourceLabels is optional. When omitted, only the default set of resource labels is exposed. Maximum length for this list is 2. Minimum length for this list is 1. Each resource name must be unique within this list.", + "description": "additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics in kube-state-metrics. Currently, only \"Job\" and \"CronJob\" resources are supported due to cardinality concerns. Each entry specifies a resource name and a list of Kubernetes label names to expose. Use \"*\" in the labels list to expose all labels for a given resource. additionalResourceLabels is optional. When omitted, no additional Kubernetes object labels are exposed as metrics by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). Use this field to opt in to exposing specific Kubernetes labels as metric labels for the supported resource types. Minimum length for this list is 1. Maximum length for this list is 2. Each resource name must be unique within this list.", "type": "array", "items": { "default": {}, @@ -24869,7 +24887,7 @@ } }, "resources": { - "description": "resources defines the compute resource requests and limits for the kube-state-metrics container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n - name: memory\n request: 40Mi\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "description": "resources defines the compute resource requests and limits for the kube-state-metrics container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "type": "array", "items": { "default": {}, @@ -24881,7 +24899,7 @@ "x-kubernetes-list-type": "map" }, "tolerations": { - "description": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries.", + "description": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, no tolerations are applied. This default is subject to change over time. When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. Each toleration's operator, when specified, must be either \"Exists\" or \"Equal\". Each toleration's effect, when specified, must be one of \"NoSchedule\", \"PreferNoSchedule\", or \"NoExecute\". An empty or unset effect means match all effects.", "type": "array", "items": { "default": {}, @@ -24890,7 +24908,7 @@ "x-kubernetes-list-type": "atomic" }, "topologySpreadConstraints": { - "description": "topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Defaults are empty/unset. When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "description": "topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nThis field maps directly to the `topologySpreadConstraints` field in the Pod spec. When omitted, no topology spread constraints are applied. This default is subject to change over time. When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. Entries must have unique topologyKey and whenUnsatisfiable pairs. Each entry's whenUnsatisfiable must be either \"DoNotSchedule\" or \"ScheduleAnyway\". Each entry's maxSkew must be at least 1. When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be \"DoNotSchedule\".", "type": "array", "items": { "default": {}, @@ -24913,7 +24931,7 @@ ], "properties": { "labels": { - "description": "labels is the list of Kubernetes label names to expose as metrics for this resource. Use \"*\" to expose all labels for the specified resource. This field is required. Each label name must be unique within this list. Minimum length for this list is 1. Maximum length for this list is 50.", + "description": "labels is the list of Kubernetes label names to expose as metrics for this resource. Use \"*\" to expose all labels for the specified resource. When \"*\" is specified, it must be the only entry in the list; mixing \"*\" with specific label names is not allowed. This field is required. Each label name must be unique within this list. Minimum length for this list is 1. Maximum length for this list is 50.", "type": "array", "items": { "type": "string", @@ -24922,7 +24940,7 @@ "x-kubernetes-list-type": "set" }, "resource": { - "description": "resource is the Kubernetes resource name whose labels should be exposed as metrics. Currently, only \"Jobs\" and \"CronJobs\" are supported due to cardinality concerns. Valid values are \"Jobs\" and \"CronJobs\". This field is required.", + "description": "resource is the Kubernetes resource name whose labels should be exposed as metrics. Currently, only \"Job\" and \"CronJob\" are supported due to cardinality concerns. Valid values are \"Job\" and \"CronJob\". This field is required.", "type": "string" } } From b4b461bd06297e526d2292d5e5693c23c0893431 Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Thu, 4 Jun 2026 19:09:22 +0200 Subject: [PATCH 9/9] Remove all KMS changes from retention PR vs rebase base Restore types_kmsencryption.go, apiservers CRDs, KMSEncryption featuregate manifest, and Vault OpenAPI schemas to match master (332af6b7b). Co-authored-by: Cursor --- config/v1/types_kmsencryption.go | 18 +++++++----------- ...ator_01_apiservers-CustomNoUpgrade.crd.yaml | 17 +++++++---------- ..._01_apiservers-DevPreviewNoUpgrade.crd.yaml | 17 +++++++---------- ...01_apiservers-TechPreviewNoUpgrade.crd.yaml | 17 +++++++---------- .../KMSEncryption.yaml | 17 +++++++---------- .../v1/zz_generated.swagger_doc_generated.go | 6 +++--- .../generated_openapi/zz_generated.openapi.go | 8 ++++---- openapi/openapi.json | 7 ++++--- ...ator_01_apiservers-CustomNoUpgrade.crd.yaml | 17 +++++++---------- ..._01_apiservers-DevPreviewNoUpgrade.crd.yaml | 17 +++++++---------- ...01_apiservers-TechPreviewNoUpgrade.crd.yaml | 17 +++++++---------- 11 files changed, 67 insertions(+), 91 deletions(-) diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 67e572b5469..6b58d9da49b 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -114,7 +114,7 @@ const ( type VaultAppRoleAuthentication struct { // secret references a secret in the openshift-config namespace containing // the AppRole credentials used to authenticate with Vault. - // The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + // The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. // // +required Secret VaultSecretReference `json:"secret,omitzero"` @@ -193,14 +193,10 @@ type VaultKMSPluginConfig struct { // transitMount specifies the mount path of the Vault Transit engine. // - // When omitted, this means the user has no opinion and the platform is left - // to choose a reasonable default. These defaults are subject to change over time. - // The current default is "transit". - // - // The transit mount must be between 1 and 1024 characters when specified, cannot start or - // end with a forward slash, cannot contain consecutive forward slashes, and must only contain - // RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - // slashes as path separators. + // The transit mount must be between 1 and 1024 characters, cannot start or + // end with a forward slash, cannot contain consecutive forward slashes, and + // must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + // period, underscore, tilde) and forward slashes as path separators. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=1024 @@ -208,7 +204,7 @@ type VaultKMSPluginConfig struct { // +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="transitMount cannot end with a forward slash" // +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="transitMount cannot contain consecutive forward slashes" // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes" - // +optional + // +required TransitMount string `json:"transitMount,omitempty"` // transitKey specifies the name of the encryption key in Vault's Transit engine. @@ -230,7 +226,7 @@ type VaultKMSPluginConfig struct { type VaultTLSConfig struct { // caBundle references a ConfigMap in the openshift-config namespace containing // the CA certificate bundle used to verify the TLS connection to the Vault server. - // The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + // The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". // When this field is not set, the system's trusted CA certificates are used. // // The namespace for the ConfigMap is openshift-config. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 68cf4c061c1..b18ea746404 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. @@ -349,14 +349,10 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - When omitted, this means the user has no opinion and the platform is left - to choose a reasonable default. These defaults are subject to change over time. - The current default is "transit". - - The transit mount must be between 1 and 1024 characters when specified, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and must only contain - RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - slashes as path separators. + The transit mount must be between 1 and 1024 characters, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and + must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + period, underscore, tilde) and forward slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -423,6 +419,7 @@ spec: - authentication - kmsPluginImage - transitKey + - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index abb82549df2..b8700ff3f16 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. @@ -349,14 +349,10 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - When omitted, this means the user has no opinion and the platform is left - to choose a reasonable default. These defaults are subject to change over time. - The current default is "transit". - - The transit mount must be between 1 and 1024 characters when specified, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and must only contain - RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - slashes as path separators. + The transit mount must be between 1 and 1024 characters, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and + must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + period, underscore, tilde) and forward slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -423,6 +419,7 @@ spec: - authentication - kmsPluginImage - transitKey + - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 66fedd0d874..6728a62ef56 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. @@ -349,14 +349,10 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - When omitted, this means the user has no opinion and the platform is left - to choose a reasonable default. These defaults are subject to change over time. - The current default is "transit". - - The transit mount must be between 1 and 1024 characters when specified, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and must only contain - RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - slashes as path separators. + The transit mount must be between 1 and 1024 characters, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and + must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + period, underscore, tilde) and forward slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -423,6 +419,7 @@ spec: - authentication - kmsPluginImage - transitKey + - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index 3f832fee66c..4bbdc315e3e 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. @@ -349,14 +349,10 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - When omitted, this means the user has no opinion and the platform is left - to choose a reasonable default. These defaults are subject to change over time. - The current default is "transit". - - The transit mount must be between 1 and 1024 characters when specified, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and must only contain - RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - slashes as path separators. + The transit mount must be between 1 and 1024 characters, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and + must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + period, underscore, tilde) and forward slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -423,6 +419,7 @@ spec: - authentication - kmsPluginImage - transitKey + - transitMount - vaultAddress type: object required: diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 0301977ce3e..1e9c65bf862 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2434,7 +2434,7 @@ func (KMSPluginConfig) SwaggerDoc() map[string]string { var map_VaultAppRoleAuthentication = map[string]string{ "": "VaultAppRoleAuthentication defines the configuration for AppRole authentication with Vault.", - "secret": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", + "secret": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The referenced Secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", } func (VaultAppRoleAuthentication) SwaggerDoc() map[string]string { @@ -2467,7 +2467,7 @@ var map_VaultKMSPluginConfig = map[string]string{ "vaultNamespace": "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. When this field is not set, no namespace is used.\n\nThe value must be between 1 and 4096 characters. The namespace cannot end with a forward slash, cannot contain spaces, and cannot be one of the reserved strings: root, sys, audit, auth, cubbyhole, or identity.", "tls": "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", "authentication": "authentication defines the authentication method used to authenticate with Vault.", - "transitMount": "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + "transitMount": "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", "transitKey": "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data.\n\nThe transit key must be between 1 and 512 characters, cannot contain forward slashes, and must only contain alphanumeric characters, hyphens, periods, and underscores.", } @@ -2486,7 +2486,7 @@ func (VaultSecretReference) SwaggerDoc() map[string]string { var map_VaultTLSConfig = map[string]string{ "": "VaultTLSConfig contains TLS configuration for connecting to Vault.", - "caBundle": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", + "caBundle": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The referenced ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", "serverName": "serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. This is useful when the Vault server's hostname doesn't match its TLS certificate. When this field is not set, the hostname from vaultAddress is used for SNI.\n\nThe value must be a valid DNS hostname: it must contain no more than 253 characters, contain only lowercase alphanumeric characters, '-' or '.', and start and end with an alphanumeric character.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 0c615c5c082..b5587f11fe7 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -22799,7 +22799,7 @@ func schema_openshift_api_config_v1_VaultAppRoleAuthentication(ref common.Refere Properties: map[string]spec.Schema{ "secret": { SchemaProps: spec.SchemaProps{ - Description: "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", + Description: "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The referenced Secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.VaultSecretReference"), }, @@ -22920,7 +22920,7 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal }, "transitMount": { SchemaProps: spec.SchemaProps{ - Description: "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + Description: "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", Type: []string{"string"}, Format: "", }, @@ -22933,7 +22933,7 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal }, }, }, - Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "transitKey"}, + Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "transitMount", "transitKey"}, }, }, Dependencies: []string{ @@ -22971,7 +22971,7 @@ func schema_openshift_api_config_v1_VaultTLSConfig(ref common.ReferenceCallback) Properties: map[string]spec.Schema{ "caBundle": { SchemaProps: spec.SchemaProps{ - Description: "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", + Description: "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The referenced ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.VaultConfigMapReference"), }, diff --git a/openapi/openapi.json b/openapi/openapi.json index e817ba5d736..3427220fb86 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -23947,7 +23947,7 @@ ], "properties": { "secret": { - "description": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", + "description": "secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The referenced Secret must contain two keys: \"role-id\" for the AppRole Role ID and \"secret-id\" for the AppRole Secret ID.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.VaultSecretReference" } @@ -23999,6 +23999,7 @@ "kmsPluginImage", "vaultAddress", "authentication", + "transitMount", "transitKey" ], "properties": { @@ -24021,7 +24022,7 @@ "type": "string" }, "transitMount": { - "description": "transitMount specifies the mount path of the Vault Transit engine.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a reasonable default. These defaults are subject to change over time. The current default is \"transit\".\n\nThe transit mount must be between 1 and 1024 characters when specified, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + "description": "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", "type": "string" }, "vaultAddress": { @@ -24052,7 +24053,7 @@ "type": "object", "properties": { "caBundle": { - "description": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", + "description": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The referenced ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.VaultConfigMapReference" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 68cf4c061c1..b18ea746404 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. @@ -349,14 +349,10 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - When omitted, this means the user has no opinion and the platform is left - to choose a reasonable default. These defaults are subject to change over time. - The current default is "transit". - - The transit mount must be between 1 and 1024 characters when specified, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and must only contain - RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - slashes as path separators. + The transit mount must be between 1 and 1024 characters, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and + must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + period, underscore, tilde) and forward slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -423,6 +419,7 @@ spec: - authentication - kmsPluginImage - transitKey + - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index abb82549df2..b8700ff3f16 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. @@ -349,14 +349,10 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - When omitted, this means the user has no opinion and the platform is left - to choose a reasonable default. These defaults are subject to change over time. - The current default is "transit". - - The transit mount must be between 1 and 1024 characters when specified, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and must only contain - RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - slashes as path separators. + The transit mount must be between 1 and 1024 characters, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and + must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + period, underscore, tilde) and forward slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -423,6 +419,7 @@ spec: - authentication - kmsPluginImage - transitKey + - transitMount - vaultAddress type: object required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 66fedd0d874..6728a62ef56 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -196,7 +196,7 @@ spec: description: |- secret references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. - The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. properties: name: description: |- @@ -276,7 +276,7 @@ spec: description: |- caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. - The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". When this field is not set, the system's trusted CA certificates are used. The namespace for the ConfigMap is openshift-config. @@ -349,14 +349,10 @@ spec: description: |- transitMount specifies the mount path of the Vault Transit engine. - When omitted, this means the user has no opinion and the platform is left - to choose a reasonable default. These defaults are subject to change over time. - The current default is "transit". - - The transit mount must be between 1 and 1024 characters when specified, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and must only contain - RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - slashes as path separators. + The transit mount must be between 1 and 1024 characters, cannot start or + end with a forward slash, cannot contain consecutive forward slashes, and + must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + period, underscore, tilde) and forward slashes as path separators. maxLength: 1024 minLength: 1 type: string @@ -423,6 +419,7 @@ spec: - authentication - kmsPluginImage - transitKey + - transitMount - vaultAddress type: object required: