From 25cb15c916194a01793bad178ed5ee4cf106c5f3 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Fri, 11 Oct 2024 07:57:37 +1000 Subject: [PATCH 01/13] migration from go/v3 to go/v4 --- src/Dockerfile | 9 +- src/Makefile | 10 +- src/PROJECT | 2 +- src/bundle.Dockerfile | 4 +- .../ibm.com_ibmsecurityverifyaccesses.yaml | 3027 ++++++++++++++++- src/config/manager/kustomization.yaml | 4 +- src/config/manager/manager.yaml | 4 +- ...access-operator.clusterserviceversion.yaml | 41 +- src/config/rbac/role.yaml | 35 +- src/controllers/constants.go | 82 - .../ibmsecurityverifyaccess_controller.go | 746 ---- src/controllers/snapshotmgr.go | 1094 ------ src/controllers/suite_test.go | 68 - src/controllers/utils.go | 55 - src/go.mod | 78 +- src/go.sum | 801 +---- src/main.go | 93 - 17 files changed, 3304 insertions(+), 2849 deletions(-) delete mode 100644 src/controllers/constants.go delete mode 100644 src/controllers/ibmsecurityverifyaccess_controller.go delete mode 100644 src/controllers/snapshotmgr.go delete mode 100644 src/controllers/suite_test.go delete mode 100644 src/controllers/utils.go delete mode 100644 src/main.go diff --git a/src/Dockerfile b/src/Dockerfile index 2db6162..3dc7fec 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,7 +1,7 @@ # Copyright contributors to the IBM Security Verify Access Operator project # Build the manager binary -FROM golang:1.15 as builder +FROM golang:1.22 AS builder WORKDIR /workspace # Copy the Go Modules manifests @@ -15,12 +15,13 @@ RUN go mod download RUN mkdir /data && mkdir /data/snapshots && mkdir /data/fixpacks && chmod -R 777 /data # Copy the go source -COPY main.go main.go +COPY cmd/main.go cmd/main.go COPY api/ api/ -COPY controllers/ controllers/ +COPY internal/controller/ internal/controller/ # Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go +#RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details diff --git a/src/Makefile b/src/Makefile index 3bb386f..12c3ac2 100644 --- a/src/Makefile +++ b/src/Makefile @@ -43,7 +43,7 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:$(VERSION) IMG ?= $(IMAGE_TAG_BASE):$(VERSION) # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) -CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" +#CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -79,7 +79,7 @@ help: ## Display this help. ##@ Development manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." @@ -99,10 +99,10 @@ test: manifests generate fmt vet ## Run tests. ##@ Build build: generate fmt vet ## Build manager binary. - go build -o bin/manager main.go + go build -o bin/manager cmd/main.go run: manifests generate fmt vet ## Run a controller from your host. - go run ./main.go + go run ./cmd/main.go docker-build: test ## Build docker image with the manager. docker build -t ${IMG} . @@ -128,7 +128,7 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: ## Download controller-gen locally if necessary. - $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.1) + $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.3) KUSTOMIZE = $(shell pwd)/bin/kustomize kustomize: ## Download kustomize locally if necessary. diff --git a/src/PROJECT b/src/PROJECT index 76953b3..137aad0 100644 --- a/src/PROJECT +++ b/src/PROJECT @@ -2,7 +2,7 @@ domain: ibmcom layout: -- go.kubebuilder.io/v3 +- go.kubebuilder.io/v4 plugins: manifests.sdk.operatorframework.io/v2: {} scorecard.sdk.operatorframework.io/v2: {} diff --git a/src/bundle.Dockerfile b/src/bundle.Dockerfile index 5aa9616..7115a44 100644 --- a/src/bundle.Dockerfile +++ b/src/bundle.Dockerfile @@ -6,9 +6,9 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=ibm-security-verify-access-operator LABEL operators.operatorframework.io.bundle.channels.v1=stable -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0 +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.37.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 -LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 +LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4 # Labels for testing. LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 diff --git a/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml b/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml index 721e139..c22bb72 100644 --- a/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml +++ b/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml @@ -1,12 +1,9 @@ -# Copyright contributors to the IBM Security Verify Access Operator project - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.16.3 name: ibmsecurityverifyaccesses.ibm.com spec: group: ibm.com @@ -21,41 +18,3023 @@ spec: schema: openAPIV3Schema: description: IBMSecurityVerifyAccess is the Schema for the ibmsecurityverifyaccesses - API + API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: IBMSecurityVerifyAccessSpec defines the desired state of - IBMSecurityVerifyAccess + description: |- + IBMSecurityVerifyAccessSpec defines the desired state of an + IBMSecurityVerifyAccess resource. properties: - foo: - description: Foo is an example field of IBMSecurityVerifyAccess. Edit - ibmsecurityverifyaccess_types.go to remove/update + autoRestart: + default: true + description: |- + AutoRestart is a boolean which indicates whether the deployment should + be restarted if a new snapshot is published + type: boolean + container: + description: |- + The definition for the container which is being created. + Cannot be updated. + properties: + env: + description: |- + List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: |- + List of sources to populate environment variables in the container. + The keys defined within a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is starting. When a key + exists in multiple sources, the value associated with the last source + will take precedence. Values defined by an Env with a duplicate key + will take precedence. + Cannot be updated. + items: + description: EnvFromSource represents the source of a set of + ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key + in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + imagePullPolicy: + description: |- + Image pull policy. + One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + livenessProbe: + description: |- + Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number must + be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: |- + Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after the processes running in the pod are sent + a termination signal and the time when the processes are forcibly halted with a kill signal. + Set this value longer than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates stop immediately via + the kill signal (no opportunity to shut down). + This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + readinessProbe: + description: |- + Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe fails. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number must + be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: |- + Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after the processes running in the pod are sent + a termination signal and the time when the processes are forcibly halted with a kill signal. + Set this value longer than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates stop immediately via + the kill signal (no opportunity to shut down). + This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + resources: + description: |- + Compute Resources required by this container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: |- + SecurityContext defines the security options the container should be run + with. If set, the fields of SecurityContext override the equivalent + fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by this container. If set, this profile + overrides the pod's appArmorProfile. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default value is Default which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + startupProbe: + description: |- + StartupProbe indicates that the Pod has successfully initialized. + If specified, no other probes are executed until this completes + successfully. If this probe fails, the Pod will be restarted, just as + if the livenessProbe failed. This can be used to provide different + probe parameters at the beginning of a Pod's lifecycle, when it might + take a long time to load data or warm a cache, than during steady-state + operation. + This cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + properties: + port: + description: Port number of the gRPC service. Number must + be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: |- + Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after the processes running in the pod are sent + a termination signal and the time when the processes are forcibly halted with a kill signal. + Set this value longer than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates stop immediately via + the kill signal (no opportunity to shut down). + This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + volumeDevices: + description: volumeDevices is the list of block devices to be + used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: |- + Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume within + a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + If ReadOnly is false, this field has no meaning and must be unspecified. + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + type: object + customAnnotations: + description: |- + The set of custom annotations to add to the container being created. + Cannot be updated. + items: + description: Custom annotations to add to deployed Verify Access + runtime container. + properties: + key: + description: Key of the annotation to create. + type: string + value: + description: Value of the annotation to create. + type: string + required: + - key + - value + type: object + type: array + fixpacks: + description: |- + Fixpacks is an array of strings which indicate the name of fixpacks + which should be installed in the deployment. This corresponds to + setting the FIXPACKS environment variable in the deployment itself. + Cannot be updated. + items: + type: string + type: array + ilmtAnnotations: + description: |- + The IBM License Metric Tool annotations to add to runtime containers. Annotations are used by IBM to + track license usage for containerised environments. + properties: + module: + default: webseal + description: Licensed module to attach to container. + enum: + - webseal + - federation + - access_control + - enterprise + type: string + production: + description: Boolean flag to switch between production and development + annotations. + type: boolean + required: + - module + - production + type: object + image: + description: |- + The name of the image which will be used in the deployment. + Cannot be updated. + type: string + imagePullSecrets: + description: |- + ImagePullSecrets is an optional list of references to secrets in the same + namespace to use for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual puller + implementations for them to use. For example, + in the case of docker, only DockerConfig type secrets are honored. + More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + instance: + description: |- + Instance is the name of the Verify Access instance which is being + started. This value is only used for WRP and DSC deployments and is + ignored for Runtime deployments. + Defaults to 'default'. + Cannot be updated. + type: string + language: + description: |- + Language is the language which will be used for messages which are logged + by the deployment. + Cannot be updated. + enum: + - zh_CN.utf8 + - zh_TW.utf8 + - cs_CZ.utf8 + - en_US.utf8 + - fr_FR.utf8 + - de_DE.utf8 + - hu_HU.utf8 + - it_IT.utf8 + - ja_JP.utf8 + - ko_KR.utf8 + - pl_PL.utf8 + - pt_BR.utf8 + - ru_RU.utf8 + - es_ES.utf8 + type: string + replicas: + default: 1 + description: Replicas is the number of pods which will be started + for the deployment. + format: int32 + minimum: 0 + type: integer + serviceAccountName: + description: |- + ServiceAccountName is the name of the ServiceAccount to use to run this pod. + More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + type: string + snapshotId: + default: published + description: |- + SnapshotId is a string which is used to indicate the identifier of the + snapshot which should be used. If no identifier is specified a default + snapshot of 'published' will be used. + Cannot be updated. type: string + snapshotSecrets: + description: |- + List of secrets to decrypt configuration snapshot files. Secrets are separated by '||'. This option is the + equivalent of setting the CONFIG_SNAPSHOT_SECRETS environment property. + type: string + snapshotTLSCacert: + default: operator + description: |- + SnapshotTLSCacert is a string which defines how the Verify Access runtime containers + verify connections to the snapshot management service. This option is the equivalent + of setting the CONFIG_SERVICE_TLS_CACERT environment property. The default option for this + property is to read the X509 certificate for the Operator's snapshot management service + from the verify-access-operator secret. + Note: Administrators must ensure that the service account for the runtime containers has + permission to read Secrets in the namespace that the Pod is deployed to in order for this to work. + type: string + volumes: + description: |- + List of volumes that can be mounted by containers belonging to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes + items: + description: Volume represents a named volume in a pod that may + be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk mount on + the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: None, + Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk in the + blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in the blob + storage + type: string + fsType: + default: ext4 + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single blob + disk per storage account Managed: azure managed data + disk (only in managed availability set). defaults to shared' + type: string + readOnly: + default: false + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service mount + on the host and bind mount to the pod. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that contains + Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the host that + shares a pod's lifetime + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted root, + rather than the full Ceph tree, default is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should populate + this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the ConfigMap or its + keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents ephemeral + storage that is handled by certain external CSI drivers (Beta + feature). + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about the pod + that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the pod: + only annotations, labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative path + name of the file to be created. Must not be absolute + or contain the ''..'' path. Must be utf-8 encoded. + The first item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource that is + attached to a kubelet's host machine and then exposed to the + pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target worldwide + names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to use for + this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds extra + command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached to + a kubelet's host machine. This depends on the Flocker control + service being running + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. This + is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the specified + revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md + properties: + endpoints: + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support iSCSI + Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support iSCSI + Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI target + and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon Controller + persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources secrets, + configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. + items: + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume root + to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the configMap + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI + data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name, namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, + defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' + path. Must be utf-8 encoded. The first + item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults + to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + description: secret information about the secret data + to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: quobyte represents a Quobyte mount on the host + that shares a pod's lifetime + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references an already + created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + default: xfs + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the ScaleIO + API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the ScaleIO + Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL communication + with Gateway, default false + type: boolean + storageMode: + default: ThinProvisioned + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage Pool associated + with the protection domain. + type: string + system: + description: system is the name of the storage system as + configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the Secret or + its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume attached + and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy Based + Management (SPBM) profile ID associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy Based + Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies vSphere + volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - image type: object status: - description: IBMSecurityVerifyAccessStatus defines the observed state - of IBMSecurityVerifyAccess + description: |- + IBMSecurityVerifyAccessStatus defines the observed state of an + IBMSecurityVerifyAccess resource. + properties: + conditions: + description: Conditions is the list of status conditions for this + resource + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/src/config/manager/kustomization.yaml b/src/config/manager/kustomization.yaml index 755aa1c..693e734 100644 --- a/src/config/manager/kustomization.yaml +++ b/src/config/manager/kustomization.yaml @@ -14,5 +14,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: controller - newTag: latest + newName: icr.io/isva/verify-access-operator + newTag: 24.10.0 diff --git a/src/config/manager/manager.yaml b/src/config/manager/manager.yaml index b033f70..cd9ac50 100644 --- a/src/config/manager/manager.yaml +++ b/src/config/manager/manager.yaml @@ -49,8 +49,8 @@ spec: periodSeconds: 10 resources: limits: - cpu: 200m - memory: 200Mi + cpu: 400m + memory: 500Mi requests: cpu: 100m memory: 20Mi diff --git a/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml b/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml index a8e3571..5d97e32 100644 --- a/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml +++ b/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml @@ -1,5 +1,3 @@ -# Copyright contributors to the IBM Security Verify Access Operator project - apiVersion: operators.coreos.com/v1alpha1 kind: ClusterServiceVersion metadata: @@ -10,7 +8,8 @@ metadata: certified: "false" containerImage: icr.io/isva/verify-access-operator:0000.0000.0000 createdAt: --date-- - description: The IBM Security Verify Access Operator manages the lifecycle of IBM Security Verify Access worker containers. + description: The IBM Security Verify Access Operator manages the lifecycle of + IBM Security Verify Access worker containers. repository: https://github.com/IBM-Security/verify-access-operator support: IBM name: ibm-security-verify-access-operator.v0000.0000.0000 @@ -19,11 +18,43 @@ spec: apiservicedefinitions: {} customresourcedefinitions: owned: - - description: IBMSecurityVerifyAccess is the Schema for the ibmsecurityverifyaccesses API. + - description: IBMSecurityVerifyAccess is the Schema for the ibmsecurityverifyaccesses + API. displayName: IBMSecurity Verify Access kind: IBMSecurityVerifyAccess name: ibmsecurityverifyaccesses.ibm.com version: v1 + resources: + - kind: Deployment + name: '' + version: v1 + specDescriptors: + - description: The name of the IBM Security Verify Access image to be used. + displayName: Image + path: image + x-descriptors: + - 'urn:alm:descriptor:com.tectonic.ui:text' + - description: The name of the Verify Access instance which is being deployed. This value is only used for WRP and DSC deployments and is ignored for Runtime deployments. + displayName: Instance + path: instance + x-descriptors: + - 'urn:alm:descriptor:com.tectonic.ui:text' + - description: The number of pods which will be started for the deployment. + displayName: Replicas + path: replicas + x-descriptors: + - 'urn:alm:descriptor:com.tectonic.ui:number' + - description: A boolean flag which indicates whether the deployment should be automatically restarted when a new snapshot is published. + displayName: Auto Restart + path: autoRestart + x-descriptors: + - 'urn:alm:descriptor:com.tectonic.ui:booleanSwitch' + statusDescriptors: + - description: The list of status conditions associated with the custom resource. + displayName: Conditions + path: conditions + x-descriptors: + - 'urn:alm:descriptor:io.kubernetes.conditions' description: |+ In a world of highly fragmented access management environments, [IBM Security Verify Access](https://www.ibm.com/au-en/products/verify-access) helps you simplify your users' access while more securely adopting web, mobile and cloud technologies. This solution helps you strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and its mobile multi-factor authentication capability, IBM Verify. Take back control of your access management with IBM Security Verify Access. @@ -69,4 +100,4 @@ spec: provider: name: IBM url: https://www.ibm.com - version: 0000.0000.0000 + version: 0.0.0 diff --git a/src/config/rbac/role.yaml b/src/config/rbac/role.yaml index c518c0e..5b40fff 100644 --- a/src/config/rbac/role.yaml +++ b/src/config/rbac/role.yaml @@ -1,12 +1,41 @@ -# Copyright contributors to the IBM Security Verify Access Operator project - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - ibm.com resources: diff --git a/src/controllers/constants.go b/src/controllers/constants.go deleted file mode 100644 index 89f8944..0000000 --- a/src/controllers/constants.go +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright contributors to the IBM Security Verify Access Operator project - */ - -package controllers - -/*****************************************************************************/ - -/* - * The name of the kubernetes file which is used to determine the namespace - * in which the snapshotmgr is running. - */ - -const k8sNamespaceFile string = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" - -/* - * The name which is given to our operator. This same name will also be - * used as the name of the secret which is generated for the operator. - */ - -const operatorName string = "verify-access-operator" - -/* - * The name of our exported snapshot manager configuration service. - */ - -const serviceName string = "verify-access-operator-controller-manager-snapshot-service" - -/* - * The custom resource type. - */ - -const kindName string = "IBMSecurityVerifyAccess" - -/* - * The name of the user which is used to authenticate to the snapshot - * manager. - */ - -const snapshotMgrUser string = "apikey" - -/* - * The name of the various fields in the secret. - */ - -const userFieldName string = "user" -const urlFieldName string = "url" -const roPwdFieldName string = "ro.pwd" -const rwPwdFieldName string = "rw.pwd" -const certFieldName string = "tls.cert" -const keyFieldName string = "tls.key" - -/* - * The length of our generated passwords. - */ - -const pwdLength int = 36 - -/* - * The length of the generated X509 key. - */ - -const keyLength int = 2048 - -/* - * The port on which the snapshot manager will listen for requests. - */ - -const httpsPort int = 7443 - -/* - * The directory on the file system which holds our uploaded files. - */ - -const dataRoot string = "/data" - -/* - * The maximum amount of memory which should be used when receiving a - * file. - */ - -const maxMemory int64 = 1024 diff --git a/src/controllers/ibmsecurityverifyaccess_controller.go b/src/controllers/ibmsecurityverifyaccess_controller.go deleted file mode 100644 index 9a8e960..0000000 --- a/src/controllers/ibmsecurityverifyaccess_controller.go +++ /dev/null @@ -1,746 +0,0 @@ -/* - * Copyright contributors to the IBM Security Verify Access Operator project - */ - -package controllers - -/*****************************************************************************/ - -import ( - appsv1 "k8s.io/api/apps/v1" - apiv1 "k8s.io/api/core/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - - "context" - "fmt" - "strings" - "sync" - "time" - - "github.com/go-logr/logr" - - "k8s.io/apimachinery/pkg/runtime" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - - ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" -) - -/*****************************************************************************/ - -/* - * The IBMSecurityVerifyAccessReconciler structure reconciles an - * IBMSecurityVerifyAccess object. - */ - -type IBMSecurityVerifyAccessReconciler struct { - client.Client - - Log logr.Logger - Scheme *runtime.Scheme - localNamespace string - snapshotMgr SnapshotMgr - secretMutex *sync.Mutex -} - -/*****************************************************************************/ - -//+kubebuilder:rbac:groups=ibm.com,resources=ibmsecurityverifyaccesses,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=ibm.com,resources=ibmsecurityverifyaccesses/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=ibm.com,resources=ibmsecurityverifyaccesses/finalizers,verbs=update -//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch -//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete - -/*****************************************************************************/ - -/* - * Reconcile is part of the main kubernetes reconciliation loop which aims to - * move the current state of the cluster closer to the desired state. - * - * For more details, check Reconcile and its Result here: - * - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.8.3/pkg/reconcile - */ - -func (r *IBMSecurityVerifyAccessReconciler) Reconcile( - ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - - r.Log.V(9).Info("Entering a function", "Function", "Reconcile") - - /* - * Fetch the definition document. - */ - - verifyaccess := &ibmv1.IBMSecurityVerifyAccess{} - err := r.Get(ctx, req.NamespacedName, verifyaccess) - - if err != nil { - if errors.IsNotFound(err) { - /* - * The requested object was not found. It could have been deleted - * after the reconcile request. - */ - - r.Log.Info("The VerifyAccess resource was not found. " + - "Ignoring this error since the object must have been deleted") - - err = nil - } else { - /* - * There was an error reading the object - requeue the request. - */ - - r.Log.Error(err, "Failed to get the VerifyAccess resource") - } - - return ctrl.Result{}, err - } - - /* - * Check if the deployment already exists, and if one doesn't we create a - * new one now. - */ - - found := &appsv1.Deployment{} - err = r.Get( - ctx, - types.NamespacedName{ - Name: verifyaccess.Name, - Namespace: verifyaccess.Namespace}, - found) - - if err != nil { - if errors.IsNotFound(err) { - /* - * The deployment requires a secret which contains the snapshot - * manager credentials. We need to create the secret in the - * destination namespace if it doesn't already exist. - */ - - err = r.createSecret(ctx, verifyaccess) - - if err == nil { - /* - * A deployment does not already exist and so we create a new - * deployment. - */ - - dep := r.deploymentForVerifyAccess(verifyaccess) - - r.Log.Info("Creating a new deployment", "Deployment.Namespace", - dep.Namespace, "Deployment.Name", dep.Name) - - err = r.Create(ctx, dep) - - if err != nil { - r.Log.Error(err, "Failed to create the new deployment", - "Deployment.Namespace", dep.Namespace, - "Deployment.Name", dep.Name) - } - } - - } else { - r.Log.Error(err, "Failed to retrieve the Deployment resource") - } - - r.setCondition(err, true, ctx, verifyaccess) - - return ctrl.Result{}, err - - } - - /* - * The deployment already exists. We now need to check to see if any - * of our CR fields have been updated which will require an update of - * the deployment. - */ - - r.Log.V(5).Info("Found a matching deployment", - "Deployment.Namespace", found.Namespace, - "Deployment.Name", found.Name) - - replicas := verifyaccess.Spec.Replicas - - if *found.Spec.Replicas != replicas { - found.Spec.Replicas = &replicas - - err = r.Update(ctx, found) - - if err != nil { - r.Log.Error(err, "Failed to update deployment", - "Deployment.Namespace", found.Namespace, - "Deployment.Name", found.Name) - } else { - r.Log.Info("Updated an existing deployment", - "Deployment.Namespace", found.Namespace, - "Deployment.Name", found.Name) - } - - r.setCondition(err, false, ctx, verifyaccess) - - return ctrl.Result{}, err - } - - return ctrl.Result{}, nil -} - -/*****************************************************************************/ - -/* - * The following function is used to wrap the logic which updates the - * condition for a failure. - */ - -func (r *IBMSecurityVerifyAccessReconciler) setCondition( - err error, - isCreate bool, - ctx context.Context, - m *ibmv1.IBMSecurityVerifyAccess) error { - - var condReason string - var condMessage string - - if isCreate { - condReason = "DeploymentCreated" - condMessage = "The deployment has been created." - } else { - condReason = "DeploymentUpdated" - condMessage = "The deployment has been updated." - } - - currentTime := metav1.NewTime(time.Now()) - - if err == nil { - m.Status.Conditions = []metav1.Condition{{ - Type: "Available", - Status: metav1.ConditionTrue, - Reason: condReason, - Message: condMessage, - LastTransitionTime: currentTime, - }} - } else { - m.Status.Conditions = []metav1.Condition{{ - Type: "Available", - Status: metav1.ConditionFalse, - Reason: condReason, - Message: err.Error(), - LastTransitionTime: currentTime, - }} - } - - if err := r.Status().Update(ctx, m); err != nil { - r.Log.Error(err, "Failed to update the condition for the resource", - "Deployment.Namespace", m.Namespace, - "Deployment.Name", m.Name) - - return err - } - - return nil -} - -/*****************************************************************************/ - -/* - * The following function is used to create the secret which is used by - * the deployment. - */ - -func (r *IBMSecurityVerifyAccessReconciler) createSecret( - ctx context.Context, - m *ibmv1.IBMSecurityVerifyAccess) (err error) { - - r.secretMutex.Lock() - - /* - * Check to see if the secret already exists. - */ - - secret := &corev1.Secret{} - err = r.Get( - ctx, - types.NamespacedName{ - Name: operatorName, - Namespace: m.Namespace, - }, - secret) - - if err != nil { - if errors.IsNotFound(err) { - /* - * The secret doesn't already exist and so we need to create - * the secret now. - */ - - r.Log.V(5).Info("Creating the secret", - "Deployment.Namespace", m.Namespace, - "Secret.Name", operatorName) - - secret = &corev1.Secret{ - Type: apiv1.SecretTypeOpaque, - ObjectMeta: metav1.ObjectMeta{ - Name: operatorName, - Namespace: m.Namespace, - }, - StringData: map[string]string{ - userFieldName: snapshotMgrUser, - urlFieldName: r.snapshotMgr.creds[urlFieldName], - roPwdFieldName: r.snapshotMgr.creds[roPwdFieldName], - certFieldName: r.snapshotMgr.creds[certFieldName], - }, - } - - err = r.Create(ctx, secret) - - if err != nil { - r.Log.Error(err, "Failed to create the secret", - "Deployment.Namespace", m.Namespace, - "Secret.Name", operatorName) - } - } else { - r.Log.Error(err, "Failed to retrieve the secret", - "Deployment.Namespace", m.Namespace, - "Secret.Name", operatorName) - } - } else { - r.Log.V(5).Info("Found an existing secret, checking values are correct", - "Deployment.Namespace", m.Namespace, - "Secret.Name", operatorName) - var requireUpdate bool - for k, v := range secret.Data { - strVal := fmt.Sprintf("%s", v) - if _, ok := r.snapshotMgr.creds[k]; ok { - if r.snapshotMgr.creds[k] != strVal { - requireUpdate = true - } - } else { - r.Log.V(1).Info(fmt.Sprintf("Unknown key [%s] found in verify-access-operator secret!", k)) - } - } - r.Log.V(7).Info(fmt.Sprintf("Secret require update %t", requireUpdate)) - if requireUpdate == true { - secret = &corev1.Secret{ - Type: apiv1.SecretTypeOpaque, - ObjectMeta: metav1.ObjectMeta{ - Name: operatorName, - Namespace: m.Namespace, - }, - StringData: map[string]string{ - userFieldName: snapshotMgrUser, - urlFieldName: r.snapshotMgr.creds[urlFieldName], - roPwdFieldName: r.snapshotMgr.creds[roPwdFieldName], - certFieldName: r.snapshotMgr.creds[certFieldName], - }, - } - - err = r.Update(ctx, secret) - } - } - - r.secretMutex.Unlock() - - return -} - -/*****************************************************************************/ - -/* - * The following function is used to return a VerifyAccess Deployment object. - * - * We map the following IBMSecurityVerifyAccess attributes to a corresponding - * attribute in the Deployment structure: - * - * IBMSecurityVerifyAccess spec | Deployment spec - * ---------------------------- | --------------- - * replicas | replicas - * image | template.spec.containers[0].image - * snapshotId | template.spec.containers[0].env - * fixpacks | template.spec.containers[0].env - * instance | template.spec.containers[0].env - * languages | template.spec.containers[0].env - * volumes | template.spec.volumes - * imagePullSecrets | template.spec.imagePullSecrets - * serviceAccountName | template.spec.serviceAccountName - * container | template.spec.containers[0] - * - * We will pre-propulate: - * - metadata - * - spec.selector - * - template.spec.containers[0].name - * - template.spec.containers[0].ports - * - template.spec.containers[0].livenessProbe - * - template.spec.containers[0].readinessProbe - * - template.spec.containers[0].startupProbe - * - template.spec.containers[0].env (for CONFIG_SERVICE_XXX variables) - */ - -func (r *IBMSecurityVerifyAccessReconciler) deploymentForVerifyAccess( - m *ibmv1.IBMSecurityVerifyAccess) *appsv1.Deployment { - /* - * Work out the name of the service. We determine this from the name of - * the image, and the value of the INSTANCE environment variable. - */ - - serviceName := "unknown" - imageComponent := strings.Split(m.Spec.Image, ":")[0] - - if strings.HasSuffix(imageComponent, "wrp") { - if m.Spec.Instance != "" { - serviceName = fmt.Sprintf("wrp-%s", m.Spec.Instance) - } else { - serviceName = "wrp-default" - } - } else if strings.HasSuffix(imageComponent, "runtime") { - serviceName = "runtime" - } else if strings.HasSuffix(imageComponent, "dsc") { - if m.Spec.Instance != "" { - serviceName = fmt.Sprintf("dsc-%s", m.Spec.Instance) - } else { - serviceName = "dsc-1" - } - } - - /* - * The labels which are used in our deployment. - */ - - labels := map[string]string{ - "kind": kindName, - "app": m.Name, - "VerifyAccess_cr": m.Name, - "service": serviceName, - } - - falseVar := false - - /* - * The port which is exported by the deployment. - */ - - ports := []corev1.ContainerPort{{ - Name: "https", - ContainerPort: 9443, - Protocol: corev1.ProtocolTCP, - }} - - /* - * The liveness, readiness and start-up probe definitions. - */ - - livenessProbe := m.Spec.Container.LivenessProbe - - if livenessProbe == nil { - livenessProbe = &corev1.Probe{ - TimeoutSeconds: 3, - Handler: corev1.Handler{ - Exec: &corev1.ExecAction{ - Command: []string{ - "/sbin/health_check.sh", - "livenessProbe", - }, - }, - }, - } - } - - readinessProbe := m.Spec.Container.ReadinessProbe - - if readinessProbe == nil { - readinessProbe = &corev1.Probe{ - TimeoutSeconds: 3, - Handler: corev1.Handler{ - Exec: &corev1.ExecAction{ - Command: []string{ - "/sbin/health_check.sh", - }, - }, - }, - } - } - startupProbe := m.Spec.Container.StartupProbe - - if startupProbe == nil { - startupProbe = &corev1.Probe{ - InitialDelaySeconds: 5, - TimeoutSeconds: 20, - FailureThreshold: 30, - Handler: corev1.Handler{ - Exec: &corev1.ExecAction{ - Command: []string{ - "/sbin/health_check.sh", - "startupProbe", - }, - }, - }, - } - } - - /* - * Set up the environment variables which are used to access the - * embedded snapshot manager. - */ - - maxEnv := 7 - env := make([]corev1.EnvVar, 0, maxEnv) - - env = append(env, corev1.EnvVar{ - Name: "CONFIG_SERVICE_URL", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: operatorName, - }, - Key: urlFieldName, - Optional: &falseVar, - }, - }, - }) - - env = append(env, corev1.EnvVar{ - Name: "CONFIG_SERVICE_USER_NAME", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: operatorName, - }, - Key: userFieldName, - Optional: &falseVar, - }, - }, - }) - - env = append(env, corev1.EnvVar{ - Name: "CONFIG_SERVICE_USER_PWD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: operatorName, - }, - Key: roPwdFieldName, - Optional: &falseVar, - }, - }, - }) - - /* If a config snapshot secrets property has been defiend add - it to runtime containers - */ - if m.Spec.SnapshotSecrets != "" { - env = append(env, corev1.EnvVar{ - Name: "CONFIG_SNAPSHOT_SECRETS", - Value: m.Spec.SnapshotSecrets, - }) - } - - /* Add TLS CAcert properties if they exist, else use kubernetes - PKI as the default - */ - if m.Spec.SnapshotTLSCacert != "" { - env = append(env, corev1.EnvVar{ - Name: "CONFIG_SERVICE_TLS_CACERT", - Value: m.Spec.SnapshotTLSCacert, - }) - } else { - env = append(env, corev1.EnvVar{ - Name: "CONFIG_SERVICE_TLS_CACERT", - Value: "operator", - }) - } - - /* - * Add the rest of the environment variables (if specified). - */ - - if m.Spec.SnapshotId != "" { - env = append(env, corev1.EnvVar{ - Name: "SNAPSHOT_ID", - Value: m.Spec.SnapshotId, - }) - } - - if len(m.Spec.Fixpacks) > 0 { - env = append(env, corev1.EnvVar{ - Name: "FIXPACKS", - Value: strings.Join(m.Spec.Fixpacks, ","), - }) - } - - if m.Spec.Instance != "" { - env = append(env, corev1.EnvVar{ - Name: "INSTANCE", - Value: m.Spec.Instance, - }) - } - - if m.Spec.Language != "" { - env = append(env, corev1.EnvVar{ - Name: "LANG", - Value: string(m.Spec.Language), - }) - } - - /* - * Set up the rest of the deployment descriptor. - */ - - dep := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: m.Name, - Namespace: m.Namespace, - Labels: labels, - }, - Spec: appsv1.DeploymentSpec{ - Replicas: &m.Spec.Replicas, - Selector: &metav1.LabelSelector{ - MatchLabels: labels, - }, - Template: corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: labels, - }, - Spec: corev1.PodSpec{ - Volumes: m.Spec.Volumes, - ImagePullSecrets: m.Spec.ImagePullSecrets, - ServiceAccountName: m.Spec.ServiceAccountName, - Containers: []corev1.Container{{ - Env: m.Spec.Container.Env, - EnvFrom: m.Spec.Container.EnvFrom, - Image: m.Spec.Image, - ImagePullPolicy: m.Spec.Container.ImagePullPolicy, - LivenessProbe: livenessProbe, - Name: m.Name, - Ports: ports, - ReadinessProbe: readinessProbe, - Resources: m.Spec.Container.Resources, - SecurityContext: m.Spec.Container.SecurityContext, - StartupProbe: startupProbe, - VolumeDevices: m.Spec.Container.VolumeDevices, - VolumeMounts: m.Spec.Container.VolumeMounts, - }}, - }, - }, - }, - } - - licenseAnnotations := m.Spec.LicenseAnnotations - - if licenseAnnotations != nil { - annotations := map[string]string{ - "productMetric": "PROCESSOR_VALUE_UNIT", - "productChargedContainers": "All", - "productName": "IBM Security Verify Access Virtual Edition", - "productId": "e2ba21cf5df245bb8524be1957857d9f", - } - prod := m.Spec.LicenseAnnotations.Production - module := m.Spec.LicenseAnnotations.Module - switch module { - case "access_control": - if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Edition AAC Module Non-Production AOS" - annotations["productId"] = "707987d5b0ca48e8af8e5856c027980f" - } else { - annotations["productName"] = "IBM Security Verify Access Virtual Edition AAC Module AOS" - annotations["productId"] = "25d814176e0f4f21b64db66b916414d4" - } - - case "federation": - if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Ed Federation Module Non-Production AOS" - annotations["productId"] = "01a9d83608044a4687b3d29a0d4d0a35" - } else { - annotations["productName"] = "IBM Security Verify Access Virtual Edition Federation Module AOS" - annotations["productId"] = "13ce5584032a42eab5704711369a11a4" - } - - case "enterprise": - if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Enterprise Edition Non-Production" - annotations["productId"] = "de0d1dce07f145ce9380be5182a68544" - } else { - annotations["productName"] = "IBM Security Verify Access Virtual Enterprise Edition" - annotations["productId"] = "62b1cf23e32140a684284a0cf9a37329" - } - - default: - if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Edition Non-Production" - annotations["productId"] = "8e4a78ab1e9249b1b46b6870babf4945" - } // else we use the default - } - dep.Spec.Template.ObjectMeta.SetAnnotations(annotations) - } - - // If administrator provided annotations exist, apply them here. This could rewrite the license annotations - customAnnotations := m.Spec.CustomAnnotations - if customAnnotations != nil { - annotations := make(map[string]string) - if dep.Spec.Template.ObjectMeta.Annotations != nil { - for k, v := range dep.Spec.Template.ObjectMeta.Annotations { - annotations[k] = v - } - } - for _, e := range customAnnotations { - annotations[e.Key] = e.Value - } - dep.Spec.Template.ObjectMeta.SetAnnotations(annotations) - } - - dep.Spec.Template.Spec.Containers[0].Env = append( - dep.Spec.Template.Spec.Containers[0].Env, env...) - - // Set the VerifyAccess instance as the owner and controller - ctrl.SetControllerReference(m, dep, r.Scheme) - - return dep -} - -/*****************************************************************************/ - -/* - * The following function is used to set up the controller with the Manager. - */ - -func (r *IBMSecurityVerifyAccessReconciler) SetupWithManager( - mgr ctrl.Manager) error { - - r.secretMutex = &sync.Mutex{} - - /* - * Work out the namespace in which we are running. - */ - - r.localNamespace, _ = getLocalNamespace(r.Log) - - /* - * Initialise and start the snapshot manager. - */ - - r.snapshotMgr = SnapshotMgr{ - config: mgr.GetConfig(), - scheme: mgr.GetScheme(), - log: r.Log.WithName("SnapshotMgr"), - } - - err := r.snapshotMgr.initialize() - - if err != nil { - return err - } - - go r.snapshotMgr.start() - - /* - * Register our controller. - */ - - return ctrl.NewControllerManagedBy(mgr). - For(&ibmv1.IBMSecurityVerifyAccess{}). - Owns(&appsv1.Deployment{}). - Complete(r) -} - -/*****************************************************************************/ diff --git a/src/controllers/snapshotmgr.go b/src/controllers/snapshotmgr.go deleted file mode 100644 index 34f8971..0000000 --- a/src/controllers/snapshotmgr.go +++ /dev/null @@ -1,1094 +0,0 @@ -/* - * Copyright contributors to the IBM Security Verify Access Operator project - */ - -package controllers - -/*****************************************************************************/ - -import ( - "bytes" - "context" - "crypto/rand" - "crypto/rsa" - "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" - "encoding/json" - "encoding/pem" - "errors" - "fmt" - "io" - "math/big" - "net" - "net/http" - "os" - "os/signal" - "path/filepath" - "strconv" - "strings" - "sync" - "syscall" - "time" - - "github.com/go-logr/logr" - - "sigs.k8s.io/controller-runtime/pkg/client" - - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/rest" - - apiV1 "k8s.io/api/core/v1" - metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1" - appsV1 "k8s.io/client-go/kubernetes/typed/apps/v1" - coreV1 "k8s.io/client-go/kubernetes/typed/core/v1" - - ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" -) - -/*****************************************************************************/ - -type SnapshotMgr struct { - config *rest.Config - scheme *runtime.Scheme - - log logr.Logger - - server *http.Server - creds map[string]string - - restartMutex *sync.Mutex - webMutex *sync.RWMutex -} - -/*****************************************************************************/ - -/* - * This function is used to trigger a rolling restart of our deployments. This - * will occur whenever a new snapshot is uploaded. - */ - -func (mgr *SnapshotMgr) rollingRestart(path string, modified string) { - - mgr.log.V(9).Info("Entering a function", "Function", "rollingRestart") - - /* - * Work out the list of modified services. - */ - - var services []string - - if len(modified) > 0 { - services = strings.Split(strings.Replace(modified, ":", "-", -1), ",") - } - - /* - * Grab a lock to ensure that we don't process multiple simultaneous - * restarts. - */ - - mgr.restartMutex.Lock() - - /* - * Work out the snapshot identifier, if a snapshot has been provided. - */ - - snapshotId := "" - - if strings.HasPrefix(path, "/snapshots/") { - snapshotName := filepath.Base(filepath.Clean(path)) - - /* - * We now need to pull out the snapshot identifier from the - * name of the snapshot. The snapshot name is of the format: - * isva__.snapshot - */ - - parts := strings.Split(snapshotName, "_") - - if len(parts) != 3 { - mgr.restartMutex.Unlock() - - mgr.log.Info("No deployments will be restarted as the "+ - "snapshot name is invalid", "Snapshot.Name", snapshotName) - - return - } - - parts = strings.Split(parts[2], ".") - - if len(parts) != 2 { - mgr.restartMutex.Unlock() - - mgr.log.Info("No deployments will be restarted as the "+ - "snapshot name is invalid", "Snapshot.Name", snapshotName) - - return - } - - snapshotId = parts[0] - - mgr.log.V(5).Info("Processing a snapshot", "Snapshot.Id", "snapshotId") - } - - /* - * Create a new client based on our configuration. - */ - - appsV1Client, err := appsV1.NewForConfig(mgr.config) - if err != nil { - mgr.restartMutex.Unlock() - - mgr.log.Error(err, "Failed to create a new K8S Application client") - - return - } - - rtClient, err := client.New(mgr.config, - client.Options{ - Scheme: mgr.scheme, - }) - - if err != nil { - mgr.restartMutex.Unlock() - - mgr.log.Error(err, "Failed to create a new controller runtime client") - - return - } - - /* - * Restart the deployments. - */ - - if len(services) > 0 { - for _, service := range services { - mgr.restartDeployments( - path, - snapshotId, - fmt.Sprintf("kind=%s, service=%s", kindName, service), - appsV1Client, - rtClient) - } - } else { - mgr.restartDeployments( - path, - snapshotId, - fmt.Sprintf("kind=%s", kindName), - appsV1Client, - rtClient) - } - - /* - * Finished, so we can release our lock. - */ - - mgr.restartMutex.Unlock() -} - -/*****************************************************************************/ - -/* - * This function is used to trigger a rolling restart of the specified - * deployments. - */ - -func (mgr *SnapshotMgr) restartDeployments( - path string, - snapshotId string, - labels string, - appsV1Client *appsV1.AppsV1Client, - rtClient client.Client) { - - /* - * Retrieve the existing deployments for our operator. - */ - - deployments, err := appsV1Client.Deployments("").List( - context.TODO(), - metaV1.ListOptions{ - LabelSelector: labels, - }) - - if err != nil { - mgr.log.Error(err, "Failed to list deployments") - - return - } - - /* - * Now we need to iterate over each of the deployments, performing - * a rolling restart of the deployment. - */ - - for _, deployment := range deployments.Items { - - mgr.log.V(5).Info("Checking a deployment", - "Deployment.Namespace", deployment.Namespace, - "Deployment.Name", deployment.Name) - - /* - * Detect and retrieve the custom resource for this deployment. The - * name of the custom resource is contained in the VerifyAccess_cr - * label. - */ - - crName := deployment.Labels["VerifyAccess_cr"] - - if len(crName) == 0 { - mgr.log.Info("The deployment does not have a VerifyAccess_cr label", - "Deployment.Namespace", deployment.Namespace, - "Deployment.Name", deployment.Name) - - continue - } - - verifyaccess := &ibmv1.IBMSecurityVerifyAccess{} - - err = rtClient.Get(context.TODO(), - client.ObjectKey{ - Namespace: deployment.Namespace, - Name: crName, - }, - verifyaccess) - - if err != nil { - mgr.log.Error(err, - "Failed to retrieve the IBMSecurityVerifyAccess resource", - "CustomResource.Name", crName) - - continue - } - - /* - * We don't bother to restart the deployment if the AutoRestart field - * has been set to false. - */ - - if !verifyaccess.Spec.AutoRestart { - mgr.log.Info("Not performing an autorestart of the deployment as "+ - "the AutoRestart field is set to false", - "Deployment.Namespace", deployment.Namespace, - "Deployment.Name", deployment.Name) - - continue - } - - /* - * Check to see if the supplied file is actually used by the - * deployment. - */ - - if strings.HasPrefix(path, "/fixpacks/") { - /* - * A new fixpack has been supplied and so we only worry about - * restarting the deployment if it is currently using this - * fixpack. - */ - - fixpackName := filepath.Base(filepath.Clean(path)) - - fixpackInUse := false - - for _, fixpack := range verifyaccess.Spec.Fixpacks { - if fixpackName == fixpack { - fixpackInUse = true - break - } - } - - if !fixpackInUse { - mgr.log.Info("Not performing an autorestart as the "+ - "supplied fixpack is not used by the deployment", - "Deployment.Namespace", deployment.Namespace, - "Deployment.Name", deployment.Name, - "Fixpack.Name", fixpackName) - - continue - } - - } else if strings.HasPrefix(path, "/snapshots/") { - /* - * A new snapshot has been uploaded. We need to see if the - * snapshot identifier for the deployment matches our supplied - * snapshot identifier. - */ - - if snapshotId != verifyaccess.Spec.SnapshotId { - mgr.log.Info("Not performing an autorestart as the "+ - "supplied snapshot is not used by the deployment", - "Deployment.Namespace", deployment.Namespace, - "Deployment.Name", deployment.Name, - "Deployment.Snapshot.Id", verifyaccess.Spec.SnapshotId, - "Snapshot.Id", snapshotId) - - continue - } - } - - /* - * Determine the revision number of the deployment. This is incremented - * to trigger a rolling update. - */ - - mgr.log.Info("Performing a rolling restart of the deployment", - "Deployment.Namespace", deployment.Namespace, - "Deployment.Name", deployment.Name) - - revision, err := strconv.Atoi( - deployment.Spec.Template.Annotations["revision"]) - - if err != nil { - revision = 1 - } else { - revision++ - } - - mgr.log.V(5).Info("New revision number", "Revision", revision) - - /* - * Patch the deployment descriptor with the incremented revision - * number. - */ - - payloadBytes := fmt.Sprintf( - "{\"spec\":"+ - "{\"template\":"+ - "{\"metadata\":"+ - "{\"annotations\":{"+ - "\"revision\":\"%d\"}"+ - "}"+ - "}"+ - "}"+ - "}", revision) - - _, err = appsV1Client.Deployments(deployment.Namespace).Patch( - context.TODO(), - deployment.Name, - types.StrategicMergePatchType, - []byte(payloadBytes), - metaV1.PatchOptions{}) - - if err != nil { - mgr.log.Error(err, "Failed to update the deployment", - "Deployment.Name", deployment.Name) - - return - } - - mgr.log.V(5).Info("Successfully updated the deployment") - } -} - -/*****************************************************************************/ - -/* - * This function is the main function for the snapshot manager and is used - * GET/PUT snapshots. - */ - -func (mgr *SnapshotMgr) serve(w http.ResponseWriter, r *http.Request) { - - mgr.log.V(9).Info("Entering a function", "Function", "serve") - - /* - * Check the authorization to this Web server. The username should always - * be the same, but we use a different password for the GET/POST methods. - */ - - username, password, _ := r.BasicAuth() - - authOk := mgr.creds[userFieldName] == username && - (mgr.creds[rwPwdFieldName] == password || - (r.Method == "GET" && mgr.creds[roPwdFieldName] == password)) - - if !authOk { - w.Header().Set("WWW-Authenticate", - fmt.Sprintf("Basic realm=\"%s\"", operatorName)) - - http.Error(w, - http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) - - mgr.log.V(5).Info("Authentication failed", "Username", username) - - return - } - - /* - * Validate the supplied path, and from this determine the name of the - * file which will be used. We need to ensure that we don't traverse - * out of our data path. The only valid directories are: '/fixpacks', - * and '/snapshots'. - */ - - isValid := false - listFiles := false - - if strings.HasPrefix(r.URL.Path, "/fixpacks/") { - basePath := filepath.Base(filepath.Clean(r.URL.Path)) - - if r.URL.Path == "/fixpacks/"+basePath { - isValid = true - } - } else if strings.HasPrefix(r.URL.Path, "/snapshots/") { - basePath := filepath.Base(filepath.Clean(r.URL.Path)) - - if r.URL.Path == "/snapshots/"+basePath && - strings.HasPrefix(basePath, "isva_") && - strings.HasSuffix(basePath, ".snapshot") { - isValid = true - } - } else if strings.HasPrefix(r.URL.Path, "/snapshots") && - r.Method == "GET" { - //If we are making a get request to the snapshots base URI then we want to return a list - // of known snapshots - isValid = true - listFiles = true - } - - if !isValid { - http.Error(w, - http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - - mgr.log.V(5).Info("An invalid path has been requested", - "Path", r.URL.Path) - - return - } - - fileName := filepath.Join(dataRoot, r.URL.Path) - - /* - * Work out the client of the request. - */ - - client := r.URL.Query().Get("client") - - if len(client) == 0 { - client = r.Header.Get("X-Forwarded-For") - - if len(client) == 0 { - client = r.RemoteAddr - - if len(client) == 0 { - client = "unknown" - } - } - } - - /* - * Process the request based on the specified method. - */ - - switch r.Method { - /* - * For a GET we simply want to return the file. The ServeFile function - * will take care of constructing the response. - */ - - case "GET": - mgr.log.Info("Processing a GET", "Path", r.URL.Path, "Client", client) - if listFiles == true { - mgr.webMutex.RLock() - fp, err := os.Open(fileName) - if err != nil { - mgr.webMutex.RUnlock() - mgr.log.V(5).Error(err, "Error reading snapshot directory") - http.Error(w, - http.StatusText(http.StatusBadRequest), - http.StatusBadRequest) - return - } - fileList, err := fp.Readdir(0) - if err != nil { - mgr.webMutex.RUnlock() - mgr.log.V(5).Error(err, "Error listing files in snapshot diectory") - http.Error(w, - http.StatusText(http.StatusBadRequest), - http.StatusBadRequest) - return - } - type SnapshotProperties map[string]interface{} - var snapshots []SnapshotProperties - for _, snapshot := range fileList { - snapshots = append(snapshots, SnapshotProperties{"name": snapshot.Name(), "size": snapshot.Size(), - "lastModified": snapshot.ModTime().String()}) - } - mgr.webMutex.RUnlock() - jsonStr, err := json.Marshal(snapshots) - if err != nil { - mgr.log.V(5).Error(err, "Error serializing snapshot properties") - http.Error(w, - http.StatusText(http.StatusBadRequest), - http.StatusBadRequest) - return - } - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusOK) - w.Write(jsonStr) - } else { - mgr.webMutex.RLock() - http.ServeFile(w, r, fileName) - mgr.webMutex.RUnlock() - } - - /* - * For a POST we want to save the supplied file. - */ - - case "POST": - /* - * Work out some of the information associated with the request and - * then log the request. - */ - - modified := r.URL.Query().Get("modified") - modifiedStr := modified - - if len(modified) == 0 { - modifiedStr = "all" - } - - mgr.log.Info("Processing a POST", - "Path", r.URL.Path, - "Modified", modifiedStr, - "Client", client) - - /* - * Retrieve the file parameter from the form. - */ - - r.ParseMultipartForm(maxMemory) - - file, _, err := r.FormFile("file") - - if err != nil { - http.Error(w, - http.StatusText(http.StatusBadRequest), - http.StatusBadRequest) - - mgr.log.V(5).Error(err, "An invalid POST has been received") - - return - } - - defer file.Close() - - /* - * Create the file which is to be uploaded. - */ - - mgr.webMutex.Lock() - - dst, err := os.Create(fileName) - - if err != nil { - mgr.webMutex.Unlock() - - http.Error(w, err.Error(), http.StatusInternalServerError) - - mgr.log.V(5).Error(err, "Failed to create the file", - "File", fileName) - - return - } - - defer dst.Close() - - /* - * Save the file. - */ - - _, err = io.Copy(dst, file) - - if err != nil { - mgr.webMutex.Unlock() - - http.Error(w, err.Error(), http.StatusInternalServerError) - - mgr.log.V(5).Error(err, "Failed to copy the file", - "File", fileName) - - return - } - - mgr.webMutex.Unlock() - - /* - * Request a restart of all running containers in a separate - * thread. - */ - - go mgr.rollingRestart(filepath.Clean(r.URL.Path), modified) - - /* - * Return a '201 Created' response. - */ - - http.Error(w, "", http.StatusCreated) - - mgr.log.V(5).Info("The file has been saved", "File", fileName) - - /* - * For a DELETE we want to attempt to delete the specified file. The - * response will be different based on whether the file exists, and we - * were able to successfully delete the file. - */ - - case "DELETE": - mgr.log.Info("Processing a DELETE", - "Path", r.URL.Path, "Client", client) - - mgr.webMutex.Lock() - err := os.Remove(fileName) - mgr.webMutex.Unlock() - - var rspCode int - var rspText string - - if err == nil { - rspCode = http.StatusNoContent - rspText = "" - } else if os.IsNotExist(err) { - rspCode = http.StatusNotFound - rspText = http.StatusText(http.StatusNotFound) - } else { - rspCode = http.StatusInternalServerError - rspText = err.Error() - } - - if err == nil { - mgr.log.V(5).Error(err, "Failed to delete the file", - "File", fileName) - } else { - mgr.log.V(5).Info("Successfully deleted the file", - "File", fileName) - } - - http.Error(w, rspText, rspCode) - - /* - * All other methods are not supported. - */ - - default: - mgr.log.V(5).Info("Received a request with an invalid method", - "Path", r.URL.Path, - "Client", client, - "Method", r.Method) - - http.Error(w, - http.StatusText(http.StatusNotImplemented), - http.StatusNotImplemented) - - } -} - -/*****************************************************************************/ - -/* - * This function is used to generate a secure random password based on the - * specified password length. - */ - -func (mgr *SnapshotMgr) generateRandomString(length int) (string, error) { - const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" - - ret := make([]byte, length) - - for i := 0; i < length; i++ { - num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) - - if err != nil { - return "", err - } - - ret[i] = letters[num.Int64()] - } - - return string(ret), nil -} - -/*****************************************************************************/ - -/* - * The following function is used to generate a new public/private key - * pair. - */ - -func (mgr *SnapshotMgr) generateKey() (cert string, key string, err error) { - - mgr.log.V(9).Info("Entering a function", "Function", "generateKey") - - /* - * Generate the RSA key. - */ - - priv, err := rsa.GenerateKey(rand.Reader, keyLength) - - if err != nil { - mgr.log.Error(err, "Failed to generate an RSA key") - return - } - - /* - * Construct the x509 certificate. - */ - - host, _ := os.Hostname() - - template := x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: host, - Organization: []string{"IBM"}, - }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Hour * 24 * 365 * 20), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, - IsCA: true, - } - - if ip := net.ParseIP(host); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, host) - } - - //Hard code the service name as a SAN as this is what will be put in the generated secret - namespace, err := getLocalNamespace(mgr.log) - if err != nil { - namespace = "default" - } - template.DNSNames = append(template.DNSNames, fmt.Sprintf("%s.%s.svc.cluster.local:%d", - serviceName, namespace, httpsPort)) - template.DNSNames = append(template.DNSNames, fmt.Sprintf("%s.%s.svc.cluster.local", - serviceName, namespace)) - - derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, - &priv.PublicKey, priv) - - if err != nil { - mgr.log.Error(err, "Failed to generate the certificate") - return - } - - /* - * Convert the certificate. - */ - - out := &bytes.Buffer{} - - pem.Encode(out, &pem.Block{ - Type: "CERTIFICATE", - Bytes: derBytes, - }) - - cert = out.String() - - /* - * Convert the key. - */ - - out.Reset() - - pem.Encode(out, &pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(priv), - }) - - key = out.String() - - return -} - -/*****************************************************************************/ - -/* - * This function is used to create our secret and populate the secret with - * our required data. This data includes: - * - the read-only credentials - * - the read-write credentials - * - the server certificate and key - */ - -func (mgr *SnapshotMgr) createSecret( - client coreV1.SecretInterface, namespace string) ( - secret *apiV1.Secret, err error) { - - mgr.log.V(9).Info("Entering a function", "Function", "createSecret") - - /* - * Generate a random password for the read-only and read-write credentials. - */ - - ro_pwd, err := mgr.generateRandomString(pwdLength) - - if err != nil { - mgr.log.Error(err, "Failed to generate a password") - - return - } - - rw_pwd, err := mgr.generateRandomString(pwdLength) - - if err != nil { - mgr.log.Error(err, "Failed to generate a password") - - return - } - - /* - * Generate a self signed certificate and key. - */ - - cert, key, err := mgr.generateKey() - if err != nil { - return - } - - url := fmt.Sprintf("https://%s.%s.svc.cluster.local:%d", - serviceName, namespace, httpsPort) - - /* - * Create the secret. - */ - - secret = &apiV1.Secret{ - Type: apiV1.SecretTypeOpaque, - ObjectMeta: metaV1.ObjectMeta{ - Name: operatorName, - }, - StringData: map[string]string{ - userFieldName: snapshotMgrUser, - urlFieldName: url, - rwPwdFieldName: rw_pwd, - roPwdFieldName: ro_pwd, - certFieldName: cert, - keyFieldName: key, - }, - } - - secret, err = client.Create(context.TODO(), secret, metaV1.CreateOptions{}) - - if err != nil { - mgr.log.Error(err, "Failed to create the secret", - "Secret.Name", operatorName) - - return - } - - return -} - -/*****************************************************************************/ - -/* - * This function is used to load the relevant data from our secret. We need - * to obtain: - * - the read-only credentials - * - the read-write credentials - * - the server certificate and key - */ - -func (mgr *SnapshotMgr) loadSecret() (err error) { - var secretsClient coreV1.SecretInterface - var secret *apiV1.Secret - var namespace string - - mgr.log.V(9).Info("Entering a function", "Function", "loadSecret") - - /* - * Work out the namespace in which we are running. - */ - - namespace, err = getLocalNamespace(mgr.log) - - if err != nil { - return - } - - /* - * Create a new client based on our current configuration. - */ - - clientset, err := kubernetes.NewForConfig(mgr.config) - if err != nil { - mgr.log.Error(err, "Failed to create a new client") - - return - } - - /* - * Attempt to retrieve the secret. - */ - - secretsClient = clientset.CoreV1().Secrets(namespace) - secret, err = secretsClient.Get( - context.TODO(), operatorName, metaV1.GetOptions{}) - - if err != nil { - mgr.log.V(5).Info("Creating the secret", "Secret.Name", operatorName) - - /* - * The secret doesn't already exist and so we try to create the - * secret now. - */ - - secret, err = mgr.createSecret(secretsClient, namespace) - - if err != nil { - return - } - } else { - mgr.log.V(5).Info("Found the secret", "Secret.Name", operatorName) - } - - /* - * We now have the secret and so we need to store the data, also - * checking that all of the required data exists. - */ - - mgr.creds = make(map[string]string) - - keys := []string{ - userFieldName, - urlFieldName, - roPwdFieldName, - rwPwdFieldName, - certFieldName, - keyFieldName, - } - - for _, key := range keys { - value, ok := secret.Data[key] - - if !ok { - mgr.log.Error(err, "The secret is missing a required field", - "Secret.Name", operatorName, "Field.Name", key) - - err = errors.New("Missing field") - - return - } - - mgr.creds[key] = string(value) - } - - return -} - -/*****************************************************************************/ - -/* - * This function is used to initialize the snapshot manager. - */ - -func (mgr *SnapshotMgr) initialize() (err error) { - /* - * Initialise this object. - */ - - err = mgr.loadSecret() - if err != nil { - return - } - - mgr.restartMutex = &sync.Mutex{} - mgr.webMutex = &sync.RWMutex{} - - /* - * Create the directories which will store our data. - */ - - dirs := []string{ - dataRoot, - filepath.Join(dataRoot, "snapshots"), - filepath.Join(dataRoot, "fixpacks"), - } - - for _, dir := range dirs { - err = os.Mkdir(dir, 0700) - - if err != nil && !os.IsExist(err) { - mgr.log.Error(err, "Failed to create the data directory", - "Directory", dir) - - return - } else { - err = nil - } - - } - - return -} - -/*****************************************************************************/ - -/* - * This function is used to start the snapshot manager, and then wait until - * we are told to terminate. - */ - -func (mgr *SnapshotMgr) start() { - var err error - - mgr.log.Info("Starting the snapshot manager", "Port", httpsPort) - - /* - * Define the http server and server handler. - */ - - pair, err := tls.X509KeyPair( - []byte(mgr.creds[certFieldName]), - []byte(mgr.creds[keyFieldName])) - - if err != nil { - mgr.log.Error(err, "Failed to generate the X509 key pair") - - return - } - - mgr.server = &http.Server{ - Addr: fmt.Sprintf(":%v", httpsPort), - TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}}, - } - - mux := http.NewServeMux() - - mux.HandleFunc("/", mgr.serve) - - mgr.server.Handler = mux - - /* - * Start listening for requests in a different thread. - */ - - mgr.log.V(5).Info("Waiting for Web requests") - - go func() { - if err := mgr.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed { - mgr.log.Error(err, "Failed to start the snapshot manager") - } - }() - - /* - * Wait and listen for the OS shutdown singal. - */ - - signalChan := make(chan os.Signal, 1) - signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM) - <-signalChan - - mgr.log.Info("Received a shutdown signal, shutting down the snapshot " + - "manager gracefully") - - mgr.server.Shutdown(context.Background()) -} - -/*****************************************************************************/ diff --git a/src/controllers/suite_test.go b/src/controllers/suite_test.go deleted file mode 100644 index d48e350..0000000 --- a/src/controllers/suite_test.go +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright contributors to the IBM Security Verify Access Operator project - */ - -package controllers - -import ( - "path/filepath" - "testing" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - "k8s.io/client-go/kubernetes/scheme" - "k8s.io/client-go/rest" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" - "sigs.k8s.io/controller-runtime/pkg/envtest/printer" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - - ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" - //+kubebuilder:scaffold:imports -) - -// These tests use Ginkgo (BDD-style Go testing framework). Refer to -// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. - -var cfg *rest.Config -var k8sClient client.Client -var testEnv *envtest.Environment - -func TestAPIs(t *testing.T) { - RegisterFailHandler(Fail) - - RunSpecsWithDefaultAndCustomReporters(t, - "Controller Suite", - []Reporter{printer.NewlineReporter{}}) -} - -var _ = BeforeSuite(func() { - logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) - - By("bootstrapping test environment") - testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, - ErrorIfCRDPathMissing: true, - } - - cfg, err := testEnv.Start() - Expect(err).NotTo(HaveOccurred()) - Expect(cfg).NotTo(BeNil()) - - err = ibmv1.AddToScheme(scheme.Scheme) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:scheme - - k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) - Expect(err).NotTo(HaveOccurred()) - Expect(k8sClient).NotTo(BeNil()) - -}, 60) - -var _ = AfterSuite(func() { - By("tearing down the test environment") - err := testEnv.Stop() - Expect(err).NotTo(HaveOccurred()) -}) diff --git a/src/controllers/utils.go b/src/controllers/utils.go deleted file mode 100644 index 824cea6..0000000 --- a/src/controllers/utils.go +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright contributors to the IBM Security Verify Access Operator project - */ - -package controllers - -import ( - "github.com/go-logr/logr" - "io/ioutil" - "k8s.io/client-go/tools/clientcmd" - "k8s.io/client-go/tools/clientcmd/api" -) - -/*****************************************************************************/ - -/* - * This function is used to determine the namespace in which the current - * pod is running. - */ - -func getLocalNamespace(log logr.Logger) (namespace string, err error) { - var namespaceBytes []byte - var clientCfg *api.Config - - log.V(9).Info("Entering a function", "Function", "getLocalNamespace") - - /* - * Work out the namespace which should be used. In a Kubernetes - * environment we read this from the namespace file, otherwise we use - * the default namespace in the kubectl file. - */ - - namespace = "default" - - namespaceBytes, err = ioutil.ReadFile(k8sNamespaceFile) - - if err != nil { - clientCfg, err = clientcmd.NewDefaultClientConfigLoadingRules().Load() - - if err != nil { - log.Error(err, "Failed to load the client configuration") - return - } - - namespace = clientCfg.Contexts[clientCfg.CurrentContext].Namespace - } else { - namespace = string(namespaceBytes) - } - - log.V(5).Info("Found a namespace to use", "Namespace", namespace) - - return -} - -/*****************************************************************************/ diff --git a/src/go.mod b/src/go.mod index ff71317..9a1d66f 100644 --- a/src/go.mod +++ b/src/go.mod @@ -2,14 +2,76 @@ module github.com/ibm-security/verify-access-operator -go 1.15 +go 1.22.0 + +toolchain go1.22.6 + +require ( + github.com/go-logr/logr v1.4.2 + github.com/onsi/ginkgo/v2 v2.19.0 + github.com/onsi/gomega v1.33.1 + k8s.io/api v0.31.0 + k8s.io/apimachinery v0.31.0 + k8s.io/client-go v0.31.0 + sigs.k8s.io/controller-runtime v0.19.0 +) require ( - github.com/go-logr/logr v0.3.0 - github.com/onsi/ginkgo v1.14.1 - github.com/onsi/gomega v1.10.2 - k8s.io/api v0.20.2 - k8s.io/apimachinery v0.20.2 - k8s.io/client-go v0.20.2 - sigs.k8s.io/controller-runtime v0.8.3 + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch v4.9.0+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.4 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/imdario/mergo v0.3.6 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/spf13/pflag v1.0.5 // indirect + github.com/x448/float16 v0.8.4 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.26.0 // indirect + golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect + golang.org/x/net v0.26.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect + golang.org/x/time v0.5.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apiextensions-apiserver v0.31.0 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/src/go.sum b/src/go.sum index 5260fd4..66babdf 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,703 +1,194 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0 h1:3ithwDMr7/3vpAMXiH+ZQnYbuIsh+OPhUPMFC9enmn0= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.1 h1:eVvIXUKiTgv++6YnWb42DUA1YL7qDugnKP0HljexdnQ= -github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= -github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= -github.com/Azure/go-autorest/autorest/adal v0.9.5 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0= -github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE= -github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= -github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= -github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= -github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= -github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= -github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk= -github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= -github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= -github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= -github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v0.3.0 h1:q4c+kbcR0d5rSurhBR8dIgieOaYpXtsdTYfx22Cu6rs= -github.com/go-logr/logr v0.3.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/zapr v0.2.0 h1:v6Ji8yBW77pva6NkJKQdHLAJKrIJKRHz0RXwPqCHSR4= -github.com/go-logr/zapr v0.2.0/go.mod h1:qhKdvif7YF5GI9NWEpyxTSSBdGmzkNguibrdCNVPunU= -github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= -github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= -github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= -github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= -github.com/googleapis/gnostic v0.5.1 h1:A8Yhf6EtqTv9RMsU6MQTyrtV1TjWlR6xU9BsZIwuTCM= -github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= -github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= -github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= -github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= -github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= -github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= -github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= -github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= -github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= -github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/imdario/mergo v0.3.10 h1:6q5mVkdH/vYmqngx7kZQTjJ5HRsx+ImorDIEQ+beJgc= -github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68= -github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= -github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= -github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= -github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.1 h1:jMU0WaQrP0a/YAEq8eJmJKjBoMs+pClEr1vDMlM/Do4= -github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs= -github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= -github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= -github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= -github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_golang v1.7.1 h1:NTGy1Ja9pByO+xAeH/qiWnLrKtr3hJPNjaVUwnjpdpA= -github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= -github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= -github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.10.0 h1:RyRA7RzGXQZiW+tGMr7sxa85G1z0yOpM1qq5c8lNawc= -github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= -github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/prometheus/procfs v0.2.0 h1:wH4vA7pcjKuZzjF7lM8awk4fnuJO6idemZXoKnULUx4= -github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= -github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= -github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= -github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= -go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk= -go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= -go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0= -go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A= -go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= -go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4= -go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= -go.uber.org/zap v1.8.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.15.0 h1:ZZCA22JRF2gQE5FoNmhmrf7jeJJ2uhqDUNRYKm8dvmM= -go.uber.org/zap v1.15.0/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE= -golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY= -golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s= -golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200616133436-c1934b75d054 h1:HHeAlu5H9b71C+Fx0K+1dGgVFN1DM1/wz4aoGOA5qS8= -golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gomodules.xyz/jsonpatch/v2 v2.1.0 h1:Phva6wqu+xR//Njw6iorylFFgn/z547tw5Ne3HZPQ+k= -gomodules.xyz/jsonpatch/v2 v2.1.0/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= -google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= -gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= -gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= -gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3 h1:sXmLre5bzIR6ypkjXCDI3jHPssRhc8KD/Ome589sc3U= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= -k8s.io/api v0.20.2 h1:y/HR22XDZY3pniu9hIFDLpUCPq2w5eQ6aV/VFQ7uJMw= -k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8= -k8s.io/apiextensions-apiserver v0.20.1 h1:ZrXQeslal+6zKM/HjDXLzThlz/vPSxrfK3OqL8txgVQ= -k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk= -k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.20.2 h1:hFx6Sbt1oG0n6DZ+g4bFt5f6BoMkOjKWsQFu077M3Vg= -k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= -k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= -k8s.io/client-go v0.20.2 h1:uuf+iIAbfnCSw8IGAv/Rg0giM+2bOzHLOsbbrwrdhNQ= -k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE= -k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= -k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= -k8s.io/component-base v0.20.2 h1:LMmu5I0pLtwjpp5009KLuMGFqSc2S2isGw8t1hpYKLE= -k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0= -k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= -k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ= -k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c= -k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= -k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210111153108-fddb29f9d009 h1:0T5IaWHO3sJTEmCP6mUlBvMukxPKUQWqiI/YuiBNMiQ= -k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= -sigs.k8s.io/controller-runtime v0.8.3 h1:GMHvzjTmaWHQB8HadW+dIvBoJuLvZObYJ5YoZruPRao= -sigs.k8s.io/controller-runtime v0.8.3/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU= -sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8= -sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= -sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= -sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= +k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/src/main.go b/src/main.go deleted file mode 100644 index b189898..0000000 --- a/src/main.go +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright contributors to the IBM Security Verify Access Operator project - */ - -package main - -import ( - "flag" - "os" - - // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) - // to ensure that exec-entrypoint and run can make use of them. - _ "k8s.io/client-go/plugin/pkg/client/auth" - - "k8s.io/apimachinery/pkg/runtime" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" - clientgoscheme "k8s.io/client-go/kubernetes/scheme" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/healthz" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - - ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" - "github.com/ibm-security/verify-access-operator/controllers" - //+kubebuilder:scaffold:imports -) - -var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") -) - -func init() { - utilruntime.Must(clientgoscheme.AddToScheme(scheme)) - - utilruntime.Must(ibmv1.AddToScheme(scheme)) - //+kubebuilder:scaffold:scheme -} - -func main() { - var metricsAddr string - var enableLeaderElection bool - var probeAddr string - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.BoolVar(&enableLeaderElection, "leader-elect", false, - "Enable leader election for controller manager. "+ - "Enabling this will ensure there is only one active controller manager.") - opts := zap.Options{ - Development: true, - } - opts.BindFlags(flag.CommandLine) - flag.Parse() - - ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) - - mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - MetricsBindAddress: metricsAddr, - Port: 9443, - HealthProbeBindAddress: probeAddr, - LeaderElection: enableLeaderElection, - LeaderElectionID: "0941aff7.ibm.com", - }) - if err != nil { - setupLog.Error(err, "unable to start manager") - os.Exit(1) - } - - if err = (&controllers.IBMSecurityVerifyAccessReconciler{ - Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controllers").WithName("IBMSecurityVerifyAccess"), - Scheme: mgr.GetScheme(), - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "IBMSecurityVerifyAccess") - os.Exit(1) - } - //+kubebuilder:scaffold:builder - - if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { - setupLog.Error(err, "unable to set up health check") - os.Exit(1) - } - if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { - setupLog.Error(err, "unable to set up ready check") - os.Exit(1) - } - - setupLog.Info("starting manager") - if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { - setupLog.Error(err, "problem running manager") - os.Exit(1) - } -} From 27123fe5f32e0ed8546ba321f49213798de0b963 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Fri, 11 Oct 2024 08:44:47 +1000 Subject: [PATCH 02/13] Migrate from go/v3 to go/v4 --- src/bundle.Dockerfile | 20 - src/cmd/main.go | 91 ++ src/internal/controller/constants.go | 88 ++ .../ibmsecurityverifyaccess_controller.go | 786 ++++++++++++ src/internal/controller/snapshotmgr.go | 1094 +++++++++++++++++ src/internal/controller/suite_test.go | 65 + src/internal/controller/utils.go | 55 + 7 files changed, 2179 insertions(+), 20 deletions(-) delete mode 100644 src/bundle.Dockerfile create mode 100644 src/cmd/main.go create mode 100644 src/internal/controller/constants.go create mode 100644 src/internal/controller/ibmsecurityverifyaccess_controller.go create mode 100644 src/internal/controller/snapshotmgr.go create mode 100644 src/internal/controller/suite_test.go create mode 100644 src/internal/controller/utils.go diff --git a/src/bundle.Dockerfile b/src/bundle.Dockerfile deleted file mode 100644 index 7115a44..0000000 --- a/src/bundle.Dockerfile +++ /dev/null @@ -1,20 +0,0 @@ -FROM scratch - -# Core bundle labels. -LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 -LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ -LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ -LABEL operators.operatorframework.io.bundle.package.v1=ibm-security-verify-access-operator -LABEL operators.operatorframework.io.bundle.channels.v1=stable -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.37.0 -LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 -LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4 - -# Labels for testing. -LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 -LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ - -# Copy files to locations specified by labels. -COPY bundle/manifests /manifests/ -COPY bundle/metadata /metadata/ -COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/src/cmd/main.go b/src/cmd/main.go new file mode 100644 index 0000000..418596e --- /dev/null +++ b/src/cmd/main.go @@ -0,0 +1,91 @@ +/* + * Copyright contributors to the IBM Security Verify Access Operator project + */ + +package main + +import ( + "flag" + "os" + + // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) + // to ensure that exec-entrypoint and run can make use of them. + _ "k8s.io/client-go/plugin/pkg/client/auth" + + "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" + "github.com/ibm-security/verify-access-operator/internal/controller" + //+kubebuilder:scaffold:imports +) + +var ( + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") +) + +func init() { + utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + + utilruntime.Must(ibmv1.AddToScheme(scheme)) + //+kubebuilder:scaffold:scheme +} + +func main() { + var metricsAddr string + var enableLeaderElection bool + var probeAddr string + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.BoolVar(&enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + opts := zap.Options{ + Development: true, + } + opts.BindFlags(flag.CommandLine) + flag.Parse() + + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ + Scheme: scheme, + HealthProbeBindAddress: probeAddr, + LeaderElection: enableLeaderElection, + LeaderElectionID: "0941aff7.ibm.com", + }) + if err != nil { + setupLog.Error(err, "unable to start manager") + os.Exit(1) + } + + if err = (&controllers.IBMSecurityVerifyAccessReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("IBMSecurityVerifyAccess"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "IBMSecurityVerifyAccess") + os.Exit(1) + } + //+kubebuilder:scaffold:builder + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up health check") + os.Exit(1) + } + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up ready check") + os.Exit(1) + } + + setupLog.Info("starting manager") + if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + setupLog.Error(err, "problem running manager") + os.Exit(1) + } +} diff --git a/src/internal/controller/constants.go b/src/internal/controller/constants.go new file mode 100644 index 0000000..c30da3c --- /dev/null +++ b/src/internal/controller/constants.go @@ -0,0 +1,88 @@ +/* + * Copyright contributors to the IBM Security Verify Access Operator project + */ + +package controllers + +/*****************************************************************************/ + +/* + * The name of the kubernetes file which is used to determine the namespace + * in which the snapshotmgr is running. + */ + +const k8sNamespaceFile string = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" + +/* + * THe name of the kubernetes file which is used to mount the CA X509 for the + * operator's snapshot management service. + */ +const k8sSnapMgrCertDir string = "/var/run/secrets/kubernetes.io/verify-access-operator" + +/* + * The name which is given to our operator. This same name will also be + * used as the name of the secret which is generated for the operator. + */ + +const operatorName string = "verify-access-operator" + +/* + * The name of our exported snapshot manager configuration service. + */ + +const serviceName string = "verify-access-operator-controller-manager-snapshot-service" + +/* + * The custom resource type. + */ + +const kindName string = "IBMSecurityVerifyAccess" + +/* + * The name of the user which is used to authenticate to the snapshot + * manager. + */ + +const snapshotMgrUser string = "apikey" + +/* + * The name of the various fields in the secret. + */ + +const userFieldName string = "user" +const urlFieldName string = "url" +const roPwdFieldName string = "ro.pwd" +const rwPwdFieldName string = "rw.pwd" +const certFieldName string = "tls.cert" +const keyFieldName string = "tls.key" + +/* + * The length of our generated passwords. + */ + +const pwdLength int = 36 + +/* + * The length of the generated X509 key. + */ + +const keyLength int = 2048 + +/* + * The port on which the snapshot manager will listen for requests. + */ + +const httpsPort int = 7443 + +/* + * The directory on the file system which holds our uploaded files. + */ + +const dataRoot string = "/data" + +/* + * The maximum amount of memory which should be used when receiving a + * file. + */ + +const maxMemory int64 = 1024 diff --git a/src/internal/controller/ibmsecurityverifyaccess_controller.go b/src/internal/controller/ibmsecurityverifyaccess_controller.go new file mode 100644 index 0000000..a7abaa1 --- /dev/null +++ b/src/internal/controller/ibmsecurityverifyaccess_controller.go @@ -0,0 +1,786 @@ +/* + * Copyright contributors to the IBM Security Verify Access Operator project + */ + +package controllers + +/*****************************************************************************/ + +import ( + appsv1 "k8s.io/api/apps/v1" + apiv1 "k8s.io/api/core/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + + "context" + "fmt" + "strings" + "sync" + "time" + + "github.com/go-logr/logr" + + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + + ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" +) + +/*****************************************************************************/ + +/* + * The IBMSecurityVerifyAccessReconciler structure reconciles an + * IBMSecurityVerifyAccess object. + */ + +type IBMSecurityVerifyAccessReconciler struct { + client.Client + + Log logr.Logger + Scheme *runtime.Scheme + localNamespace string + snapshotMgr SnapshotMgr + secretMutex *sync.Mutex +} + +/*****************************************************************************/ + +//+kubebuilder:rbac:groups=ibm.com,resources=ibmsecurityverifyaccesses,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=ibm.com,resources=ibmsecurityverifyaccesses/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=ibm.com,resources=ibmsecurityverifyaccesses/finalizers,verbs=update +//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch +//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete + +/*****************************************************************************/ + +/* + * Reconcile is part of the main kubernetes reconciliation loop which aims to + * move the current state of the cluster closer to the desired state. + * + * For more details, check Reconcile and its Result here: + * - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.8.3/pkg/reconcile + */ + +func (r *IBMSecurityVerifyAccessReconciler) Reconcile( + ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + + r.Log.V(9).Info("Entering a function", "Function", "Reconcile") + + /* + * Fetch the definition document. + */ + + verifyaccess := &ibmv1.IBMSecurityVerifyAccess{} + err := r.Get(ctx, req.NamespacedName, verifyaccess) + + if err != nil { + if errors.IsNotFound(err) { + /* + * The requested object was not found. It could have been deleted + * after the reconcile request. + */ + + r.Log.Info("The VerifyAccess resource was not found. " + + "Ignoring this error since the object must have been deleted") + + err = nil + } else { + /* + * There was an error reading the object - requeue the request. + */ + + r.Log.Error(err, "Failed to get the VerifyAccess resource") + } + + return ctrl.Result{}, err + } + + /* + * Check if the deployment already exists, and if one doesn't we create a + * new one now. + */ + + found := &appsv1.Deployment{} + err = r.Get( + ctx, + types.NamespacedName{ + Name: verifyaccess.Name, + Namespace: verifyaccess.Namespace}, + found) + + if err != nil { + if errors.IsNotFound(err) { + /* + * The deployment requires a secret which contains the snapshot + * manager credentials. We need to create the secret in the + * destination namespace if it doesn't already exist. + */ + + err = r.createSecret(ctx, verifyaccess) + + if err == nil { + /* + * A deployment does not already exist and so we create a new + * deployment. + */ + + dep := r.deploymentForVerifyAccess(verifyaccess) + + r.Log.Info("Creating a new deployment", "Deployment.Namespace", + dep.Namespace, "Deployment.Name", dep.Name) + + err = r.Create(ctx, dep) + + if err != nil { + r.Log.Error(err, "Failed to create the new deployment", + "Deployment.Namespace", dep.Namespace, + "Deployment.Name", dep.Name) + } + } + + } else { + r.Log.Error(err, "Failed to retrieve the Deployment resource") + } + + r.setCondition(err, true, ctx, verifyaccess) + + return ctrl.Result{}, err + + } + + /* + * The deployment already exists. We now need to check to see if any + * of our CR fields have been updated which will require an update of + * the deployment. + */ + + r.Log.V(5).Info("Found a matching deployment", + "Deployment.Namespace", found.Namespace, + "Deployment.Name", found.Name) + + replicas := verifyaccess.Spec.Replicas + + if *found.Spec.Replicas != replicas { + found.Spec.Replicas = &replicas + + err = r.Update(ctx, found) + + if err != nil { + r.Log.Error(err, "Failed to update deployment", + "Deployment.Namespace", found.Namespace, + "Deployment.Name", found.Name) + } else { + r.Log.Info("Updated an existing deployment", + "Deployment.Namespace", found.Namespace, + "Deployment.Name", found.Name) + } + + r.setCondition(err, false, ctx, verifyaccess) + + return ctrl.Result{}, err + } + + return ctrl.Result{}, nil +} + +/*****************************************************************************/ + +/* + * The following function is used to wrap the logic which updates the + * condition for a failure. + */ + +func (r *IBMSecurityVerifyAccessReconciler) setCondition( + err error, + isCreate bool, + ctx context.Context, + m *ibmv1.IBMSecurityVerifyAccess) error { + + var condReason string + var condMessage string + + if isCreate { + condReason = "DeploymentCreated" + condMessage = "The deployment has been created." + } else { + condReason = "DeploymentUpdated" + condMessage = "The deployment has been updated." + } + + currentTime := metav1.NewTime(time.Now()) + + if err == nil { + m.Status.Conditions = []metav1.Condition{{ + Type: "Available", + Status: metav1.ConditionTrue, + Reason: condReason, + Message: condMessage, + LastTransitionTime: currentTime, + }} + } else { + m.Status.Conditions = []metav1.Condition{{ + Type: "Available", + Status: metav1.ConditionFalse, + Reason: condReason, + Message: err.Error(), + LastTransitionTime: currentTime, + }} + } + + if err := r.Status().Update(ctx, m); err != nil { + r.Log.Error(err, "Failed to update the condition for the resource", + "Deployment.Namespace", m.Namespace, + "Deployment.Name", m.Name) + + return err + } + + return nil +} + +/*****************************************************************************/ + +/* + * The following function is used to create the secret which is used by + * the deployment. + */ + +func (r *IBMSecurityVerifyAccessReconciler) createSecret( + ctx context.Context, + m *ibmv1.IBMSecurityVerifyAccess) (err error) { + + r.secretMutex.Lock() + + /* + * Check to see if the secret already exists. + */ + + secret := &corev1.Secret{} + err = r.Get( + ctx, + types.NamespacedName{ + Name: operatorName, + Namespace: m.Namespace, + }, + secret) + + if err != nil { + if errors.IsNotFound(err) { + /* + * The secret doesn't already exist and so we need to create + * the secret now. + */ + + r.Log.V(5).Info("Creating the secret", + "Deployment.Namespace", m.Namespace, + "Secret.Name", operatorName) + + secret = &corev1.Secret{ + Type: apiv1.SecretTypeOpaque, + ObjectMeta: metav1.ObjectMeta{ + Name: operatorName, + Namespace: m.Namespace, + }, + StringData: map[string]string{ + userFieldName: snapshotMgrUser, + urlFieldName: r.snapshotMgr.creds[urlFieldName], + roPwdFieldName: r.snapshotMgr.creds[roPwdFieldName], + certFieldName: r.snapshotMgr.creds[certFieldName], + }, + } + + err = r.Create(ctx, secret) + + if err != nil { + r.Log.Error(err, "Failed to create the secret", + "Deployment.Namespace", m.Namespace, + "Secret.Name", operatorName) + } + } else { + r.Log.Error(err, "Failed to retrieve the secret", + "Deployment.Namespace", m.Namespace, + "Secret.Name", operatorName) + } + } else { + r.Log.V(5).Info("Found an existing secret, checking values are correct", + "Deployment.Namespace", m.Namespace, + "Secret.Name", operatorName) + var requireUpdate bool + for k, v := range secret.Data { + secVal := string(v[:]) + myVal, ok := r.snapshotMgr.creds[k] + if ok { + if secVal != myVal { + requireUpdate = true + } + } else { + r.Log.V(1).Info(fmt.Sprintf("Unknown key [%s] found in verify-access-operator secret!", k)) + } + } + if len(secret.Data) < 4 { // 5 if rwPwd is defined, legacy is len 3 (missing tls.cert) + requireUpdate = true + } + r.Log.V(7).Info(fmt.Sprintf("Secret require update %t", requireUpdate)) + if requireUpdate == true { + secret = &corev1.Secret{ + Type: apiv1.SecretTypeOpaque, + ObjectMeta: metav1.ObjectMeta{ + Name: operatorName, + Namespace: m.Namespace, + }, + StringData: map[string]string{ + userFieldName: snapshotMgrUser, + urlFieldName: r.snapshotMgr.creds[urlFieldName], + roPwdFieldName: r.snapshotMgr.creds[roPwdFieldName], + certFieldName: r.snapshotMgr.creds[certFieldName], + }, + } + + err = r.Update(ctx, secret) + } + } + + r.secretMutex.Unlock() + + return +} + +/*****************************************************************************/ + +/* + * The following function is used to return a VerifyAccess Deployment object. + * + * We map the following IBMSecurityVerifyAccess attributes to a corresponding + * attribute in the Deployment structure: + * + * IBMSecurityVerifyAccess spec | Deployment spec + * ---------------------------- | --------------- + * replicas | replicas + * image | template.spec.containers[0].image + * snapshotId | template.spec.containers[0].env + * fixpacks | template.spec.containers[0].env + * instance | template.spec.containers[0].env + * languages | template.spec.containers[0].env + * volumes | template.spec.volumes + * imagePullSecrets | template.spec.imagePullSecrets + * serviceAccountName | template.spec.serviceAccountName + * container | template.spec.containers[0] + * + * We will pre-propulate: + * - metadata + * - spec.selector + * - template.spec.containers[0].name + * - template.spec.containers[0].ports + * - template.spec.containers[0].livenessProbe + * - template.spec.containers[0].readinessProbe + * - template.spec.containers[0].startupProbe + * - template.spec.containers[0].env (for CONFIG_SERVICE_XXX variables) + */ + +func (r *IBMSecurityVerifyAccessReconciler) deploymentForVerifyAccess( + m *ibmv1.IBMSecurityVerifyAccess) *appsv1.Deployment { + /* + * Work out the name of the service. We determine this from the name of + * the image, and the value of the INSTANCE environment variable. + */ + + serviceName := "unknown" + imageComponent := strings.Split(m.Spec.Image, ":")[0] + + if strings.HasSuffix(imageComponent, "wrp") { + if m.Spec.Instance != "" { + serviceName = fmt.Sprintf("wrp-%s", m.Spec.Instance) + } else { + serviceName = "wrp-default" + } + } else if strings.HasSuffix(imageComponent, "runtime") { + serviceName = "runtime" + } else if strings.HasSuffix(imageComponent, "dsc") { + if m.Spec.Instance != "" { + serviceName = fmt.Sprintf("dsc-%s", m.Spec.Instance) + } else { + serviceName = "dsc-1" + } + } + + /* + * The labels which are used in our deployment. + */ + + labels := map[string]string{ + "kind": kindName, + "app": m.Name, + "VerifyAccess_cr": m.Name, + "service": serviceName, + } + + falseVar := false + + /* + * The port which is exported by the deployment. + */ + + ports := []corev1.ContainerPort{{ + Name: "https", + ContainerPort: 9443, + Protocol: corev1.ProtocolTCP, + }} + + /* + * The liveness, readiness and start-up probe definitions. + */ + + livenessProbe := m.Spec.Container.LivenessProbe + + if livenessProbe == nil { + livenessProbe = &corev1.Probe{ + TimeoutSeconds: 3, + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{ + Command: []string{ + "/sbin/health_check.sh", + "livenessProbe", + }, + }, + }, + } + } + + readinessProbe := m.Spec.Container.ReadinessProbe + + if readinessProbe == nil { + readinessProbe = &corev1.Probe{ + TimeoutSeconds: 3, + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{ + Command: []string{ + "/sbin/health_check.sh", + }, + }, + }, + } + } + startupProbe := m.Spec.Container.StartupProbe + + if startupProbe == nil { + startupProbe = &corev1.Probe{ + InitialDelaySeconds: 5, + TimeoutSeconds: 20, + FailureThreshold: 30, + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{ + Command: []string{ + "/sbin/health_check.sh", + "startupProbe", + }, + }, + }, + } + } + + /* + * Set up the environment variables which are used to access the + * embedded snapshot manager. + */ + + maxEnv := 7 + env := make([]corev1.EnvVar, 0, maxEnv) + + env = append(env, corev1.EnvVar{ + Name: "CONFIG_SERVICE_URL", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: operatorName, + }, + Key: urlFieldName, + Optional: &falseVar, + }, + }, + }) + + env = append(env, corev1.EnvVar{ + Name: "CONFIG_SERVICE_USER_NAME", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: operatorName, + }, + Key: userFieldName, + Optional: &falseVar, + }, + }, + }) + + env = append(env, corev1.EnvVar{ + Name: "CONFIG_SERVICE_USER_PWD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: operatorName, + }, + Key: roPwdFieldName, + Optional: &falseVar, + }, + }, + }) + + /* If a config snapshot secrets property has been defiend add + it to runtime containers + */ + if m.Spec.SnapshotSecrets != "" { + env = append(env, corev1.EnvVar{ + Name: "CONFIG_SNAPSHOT_SECRETS", + Value: m.Spec.SnapshotSecrets, + }) + } + + /* Add TLS CAcert properties if they exist, else use kubernetes + PKI as the default + */ + addSnapMgrCert := false + if m.Spec.SnapshotTLSCacert != "" { + env = append(env, corev1.EnvVar{ + Name: "CONFIG_SERVICE_TLS_CACERT", + Value: m.Spec.SnapshotTLSCacert, + }) + + } else { + addSnapMgrCert = true + env = append(env, corev1.EnvVar{ + Name: "CONFIG_SERVICE_TLS_CACERT", + Value: "operator", + }) + } + + /* + * Add the rest of the environment variables (if specified). + */ + + if m.Spec.SnapshotId != "" { + env = append(env, corev1.EnvVar{ + Name: "SNAPSHOT_ID", + Value: m.Spec.SnapshotId, + }) + } + + if len(m.Spec.Fixpacks) > 0 { + env = append(env, corev1.EnvVar{ + Name: "FIXPACKS", + Value: strings.Join(m.Spec.Fixpacks, ","), + }) + } + + if m.Spec.Instance != "" { + env = append(env, corev1.EnvVar{ + Name: "INSTANCE", + Value: m.Spec.Instance, + }) + } + + if m.Spec.Language != "" { + env = append(env, corev1.EnvVar{ + Name: "LANG", + Value: string(m.Spec.Language), + }) + } + + maxVolMnts := len(m.Spec.Container.VolumeMounts) + volMnts := make([]corev1.VolumeMount, 0, maxVolMnts+1) + copy(volMnts, m.Spec.Container.VolumeMounts) + maxVols := len(m.Spec.Volumes) + vols := make([]corev1.Volume, 0, maxVols+1) + copy(vols, m.Spec.Volumes) + if addSnapMgrCert == true { + r.Log.V(5).Info("Adding snapshot manager service TLS certificate to deployment.") + //Mount the operator cert as a file here. This will avoid permissions issues + //when service accounts try to read the verify-access-operator secret at + //runtime. + volMnts = append(volMnts, corev1.VolumeMount{ + Name: operatorName, + ReadOnly: true, + MountPath: k8sSnapMgrCertDir, + SubPath: certFieldName, + }) + vols = append(vols, corev1.Volume{ + Name: operatorName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: operatorName, + Items: []corev1.KeyToPath{ + corev1.KeyToPath{ + Key: certFieldName, + Path: certFieldName, + }, + }, + }, + }, + }) + } + r.Log.V(1).Info(fmt.Printf("%#v\n", maxVolMnts)) + /* + * Set up the rest of the deployment descriptor. + */ + + dep := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: m.Name, + Namespace: m.Namespace, + Labels: labels, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &m.Spec.Replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: labels, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: labels, + }, + Spec: corev1.PodSpec{ + Volumes: vols, + ImagePullSecrets: m.Spec.ImagePullSecrets, + ServiceAccountName: m.Spec.ServiceAccountName, + Containers: []corev1.Container{{ + Env: m.Spec.Container.Env, + EnvFrom: m.Spec.Container.EnvFrom, + Image: m.Spec.Image, + ImagePullPolicy: m.Spec.Container.ImagePullPolicy, + LivenessProbe: livenessProbe, + Name: m.Name, + Ports: ports, + ReadinessProbe: readinessProbe, + Resources: m.Spec.Container.Resources, + SecurityContext: m.Spec.Container.SecurityContext, + StartupProbe: startupProbe, + VolumeDevices: m.Spec.Container.VolumeDevices, + VolumeMounts: volMnts, + }}, + }, + }, + }, + } + + licenseAnnotations := m.Spec.LicenseAnnotations + + if licenseAnnotations != nil { + annotations := map[string]string{ + "productMetric": "PROCESSOR_VALUE_UNIT", + "productChargedContainers": "All", + "productName": "IBM Security Verify Access Virtual Edition", + "productId": "e2ba21cf5df245bb8524be1957857d9f", + } + prod := m.Spec.LicenseAnnotations.Production + module := m.Spec.LicenseAnnotations.Module + switch module { + case "access_control": + if prod == false { + annotations["productName"] = "IBM Security Verify Access Virtual Edition AAC Module Non-Production AOS" + annotations["productId"] = "707987d5b0ca48e8af8e5856c027980f" + } else { + annotations["productName"] = "IBM Security Verify Access Virtual Edition AAC Module AOS" + annotations["productId"] = "25d814176e0f4f21b64db66b916414d4" + } + + case "federation": + if prod == false { + annotations["productName"] = "IBM Security Verify Access Virtual Ed Federation Module Non-Production AOS" + annotations["productId"] = "01a9d83608044a4687b3d29a0d4d0a35" + } else { + annotations["productName"] = "IBM Security Verify Access Virtual Edition Federation Module AOS" + annotations["productId"] = "13ce5584032a42eab5704711369a11a4" + } + + case "enterprise": + if prod == false { + annotations["productName"] = "IBM Security Verify Access Virtual Enterprise Edition Non-Production" + annotations["productId"] = "de0d1dce07f145ce9380be5182a68544" + } else { + annotations["productName"] = "IBM Security Verify Access Virtual Enterprise Edition" + annotations["productId"] = "62b1cf23e32140a684284a0cf9a37329" + } + + default: + if prod == false { + annotations["productName"] = "IBM Security Verify Access Virtual Edition Non-Production" + annotations["productId"] = "8e4a78ab1e9249b1b46b6870babf4945" + } // else we use the default + } + dep.Spec.Template.ObjectMeta.SetAnnotations(annotations) + } + + // If administrator provided annotations exist, apply them here. This could rewrite the license annotations + customAnnotations := m.Spec.CustomAnnotations + if customAnnotations != nil { + annotations := make(map[string]string) + if dep.Spec.Template.ObjectMeta.Annotations != nil { + for k, v := range dep.Spec.Template.ObjectMeta.Annotations { + annotations[k] = v + } + } + for _, e := range customAnnotations { + annotations[e.Key] = e.Value + } + dep.Spec.Template.ObjectMeta.SetAnnotations(annotations) + } + + dep.Spec.Template.Spec.Containers[0].Env = append( + dep.Spec.Template.Spec.Containers[0].Env, env...) + + // Set the VerifyAccess instance as the owner and controller + ctrl.SetControllerReference(m, dep, r.Scheme) + + return dep +} + +/*****************************************************************************/ + +/* + * The following function is used to set up the controller with the Manager. + */ + +func (r *IBMSecurityVerifyAccessReconciler) SetupWithManager( + mgr ctrl.Manager) error { + + r.secretMutex = &sync.Mutex{} + + /* + * Work out the namespace in which we are running. + */ + + r.localNamespace, _ = getLocalNamespace(r.Log) + + /* + * Initialise and start the snapshot manager. + */ + + r.snapshotMgr = SnapshotMgr{ + config: mgr.GetConfig(), + scheme: mgr.GetScheme(), + log: r.Log.WithName("SnapshotMgr"), + } + + err := r.snapshotMgr.initialize() + + if err != nil { + return err + } + + go r.snapshotMgr.start() + + /* + * Register our controller. + */ + + return ctrl.NewControllerManagedBy(mgr). + For(&ibmv1.IBMSecurityVerifyAccess{}). + Owns(&appsv1.Deployment{}). + Complete(r) +} + +/*****************************************************************************/ diff --git a/src/internal/controller/snapshotmgr.go b/src/internal/controller/snapshotmgr.go new file mode 100644 index 0000000..34f8971 --- /dev/null +++ b/src/internal/controller/snapshotmgr.go @@ -0,0 +1,1094 @@ +/* + * Copyright contributors to the IBM Security Verify Access Operator project + */ + +package controllers + +/*****************************************************************************/ + +import ( + "bytes" + "context" + "crypto/rand" + "crypto/rsa" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/json" + "encoding/pem" + "errors" + "fmt" + "io" + "math/big" + "net" + "net/http" + "os" + "os/signal" + "path/filepath" + "strconv" + "strings" + "sync" + "syscall" + "time" + + "github.com/go-logr/logr" + + "sigs.k8s.io/controller-runtime/pkg/client" + + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" + + apiV1 "k8s.io/api/core/v1" + metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1" + appsV1 "k8s.io/client-go/kubernetes/typed/apps/v1" + coreV1 "k8s.io/client-go/kubernetes/typed/core/v1" + + ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" +) + +/*****************************************************************************/ + +type SnapshotMgr struct { + config *rest.Config + scheme *runtime.Scheme + + log logr.Logger + + server *http.Server + creds map[string]string + + restartMutex *sync.Mutex + webMutex *sync.RWMutex +} + +/*****************************************************************************/ + +/* + * This function is used to trigger a rolling restart of our deployments. This + * will occur whenever a new snapshot is uploaded. + */ + +func (mgr *SnapshotMgr) rollingRestart(path string, modified string) { + + mgr.log.V(9).Info("Entering a function", "Function", "rollingRestart") + + /* + * Work out the list of modified services. + */ + + var services []string + + if len(modified) > 0 { + services = strings.Split(strings.Replace(modified, ":", "-", -1), ",") + } + + /* + * Grab a lock to ensure that we don't process multiple simultaneous + * restarts. + */ + + mgr.restartMutex.Lock() + + /* + * Work out the snapshot identifier, if a snapshot has been provided. + */ + + snapshotId := "" + + if strings.HasPrefix(path, "/snapshots/") { + snapshotName := filepath.Base(filepath.Clean(path)) + + /* + * We now need to pull out the snapshot identifier from the + * name of the snapshot. The snapshot name is of the format: + * isva__.snapshot + */ + + parts := strings.Split(snapshotName, "_") + + if len(parts) != 3 { + mgr.restartMutex.Unlock() + + mgr.log.Info("No deployments will be restarted as the "+ + "snapshot name is invalid", "Snapshot.Name", snapshotName) + + return + } + + parts = strings.Split(parts[2], ".") + + if len(parts) != 2 { + mgr.restartMutex.Unlock() + + mgr.log.Info("No deployments will be restarted as the "+ + "snapshot name is invalid", "Snapshot.Name", snapshotName) + + return + } + + snapshotId = parts[0] + + mgr.log.V(5).Info("Processing a snapshot", "Snapshot.Id", "snapshotId") + } + + /* + * Create a new client based on our configuration. + */ + + appsV1Client, err := appsV1.NewForConfig(mgr.config) + if err != nil { + mgr.restartMutex.Unlock() + + mgr.log.Error(err, "Failed to create a new K8S Application client") + + return + } + + rtClient, err := client.New(mgr.config, + client.Options{ + Scheme: mgr.scheme, + }) + + if err != nil { + mgr.restartMutex.Unlock() + + mgr.log.Error(err, "Failed to create a new controller runtime client") + + return + } + + /* + * Restart the deployments. + */ + + if len(services) > 0 { + for _, service := range services { + mgr.restartDeployments( + path, + snapshotId, + fmt.Sprintf("kind=%s, service=%s", kindName, service), + appsV1Client, + rtClient) + } + } else { + mgr.restartDeployments( + path, + snapshotId, + fmt.Sprintf("kind=%s", kindName), + appsV1Client, + rtClient) + } + + /* + * Finished, so we can release our lock. + */ + + mgr.restartMutex.Unlock() +} + +/*****************************************************************************/ + +/* + * This function is used to trigger a rolling restart of the specified + * deployments. + */ + +func (mgr *SnapshotMgr) restartDeployments( + path string, + snapshotId string, + labels string, + appsV1Client *appsV1.AppsV1Client, + rtClient client.Client) { + + /* + * Retrieve the existing deployments for our operator. + */ + + deployments, err := appsV1Client.Deployments("").List( + context.TODO(), + metaV1.ListOptions{ + LabelSelector: labels, + }) + + if err != nil { + mgr.log.Error(err, "Failed to list deployments") + + return + } + + /* + * Now we need to iterate over each of the deployments, performing + * a rolling restart of the deployment. + */ + + for _, deployment := range deployments.Items { + + mgr.log.V(5).Info("Checking a deployment", + "Deployment.Namespace", deployment.Namespace, + "Deployment.Name", deployment.Name) + + /* + * Detect and retrieve the custom resource for this deployment. The + * name of the custom resource is contained in the VerifyAccess_cr + * label. + */ + + crName := deployment.Labels["VerifyAccess_cr"] + + if len(crName) == 0 { + mgr.log.Info("The deployment does not have a VerifyAccess_cr label", + "Deployment.Namespace", deployment.Namespace, + "Deployment.Name", deployment.Name) + + continue + } + + verifyaccess := &ibmv1.IBMSecurityVerifyAccess{} + + err = rtClient.Get(context.TODO(), + client.ObjectKey{ + Namespace: deployment.Namespace, + Name: crName, + }, + verifyaccess) + + if err != nil { + mgr.log.Error(err, + "Failed to retrieve the IBMSecurityVerifyAccess resource", + "CustomResource.Name", crName) + + continue + } + + /* + * We don't bother to restart the deployment if the AutoRestart field + * has been set to false. + */ + + if !verifyaccess.Spec.AutoRestart { + mgr.log.Info("Not performing an autorestart of the deployment as "+ + "the AutoRestart field is set to false", + "Deployment.Namespace", deployment.Namespace, + "Deployment.Name", deployment.Name) + + continue + } + + /* + * Check to see if the supplied file is actually used by the + * deployment. + */ + + if strings.HasPrefix(path, "/fixpacks/") { + /* + * A new fixpack has been supplied and so we only worry about + * restarting the deployment if it is currently using this + * fixpack. + */ + + fixpackName := filepath.Base(filepath.Clean(path)) + + fixpackInUse := false + + for _, fixpack := range verifyaccess.Spec.Fixpacks { + if fixpackName == fixpack { + fixpackInUse = true + break + } + } + + if !fixpackInUse { + mgr.log.Info("Not performing an autorestart as the "+ + "supplied fixpack is not used by the deployment", + "Deployment.Namespace", deployment.Namespace, + "Deployment.Name", deployment.Name, + "Fixpack.Name", fixpackName) + + continue + } + + } else if strings.HasPrefix(path, "/snapshots/") { + /* + * A new snapshot has been uploaded. We need to see if the + * snapshot identifier for the deployment matches our supplied + * snapshot identifier. + */ + + if snapshotId != verifyaccess.Spec.SnapshotId { + mgr.log.Info("Not performing an autorestart as the "+ + "supplied snapshot is not used by the deployment", + "Deployment.Namespace", deployment.Namespace, + "Deployment.Name", deployment.Name, + "Deployment.Snapshot.Id", verifyaccess.Spec.SnapshotId, + "Snapshot.Id", snapshotId) + + continue + } + } + + /* + * Determine the revision number of the deployment. This is incremented + * to trigger a rolling update. + */ + + mgr.log.Info("Performing a rolling restart of the deployment", + "Deployment.Namespace", deployment.Namespace, + "Deployment.Name", deployment.Name) + + revision, err := strconv.Atoi( + deployment.Spec.Template.Annotations["revision"]) + + if err != nil { + revision = 1 + } else { + revision++ + } + + mgr.log.V(5).Info("New revision number", "Revision", revision) + + /* + * Patch the deployment descriptor with the incremented revision + * number. + */ + + payloadBytes := fmt.Sprintf( + "{\"spec\":"+ + "{\"template\":"+ + "{\"metadata\":"+ + "{\"annotations\":{"+ + "\"revision\":\"%d\"}"+ + "}"+ + "}"+ + "}"+ + "}", revision) + + _, err = appsV1Client.Deployments(deployment.Namespace).Patch( + context.TODO(), + deployment.Name, + types.StrategicMergePatchType, + []byte(payloadBytes), + metaV1.PatchOptions{}) + + if err != nil { + mgr.log.Error(err, "Failed to update the deployment", + "Deployment.Name", deployment.Name) + + return + } + + mgr.log.V(5).Info("Successfully updated the deployment") + } +} + +/*****************************************************************************/ + +/* + * This function is the main function for the snapshot manager and is used + * GET/PUT snapshots. + */ + +func (mgr *SnapshotMgr) serve(w http.ResponseWriter, r *http.Request) { + + mgr.log.V(9).Info("Entering a function", "Function", "serve") + + /* + * Check the authorization to this Web server. The username should always + * be the same, but we use a different password for the GET/POST methods. + */ + + username, password, _ := r.BasicAuth() + + authOk := mgr.creds[userFieldName] == username && + (mgr.creds[rwPwdFieldName] == password || + (r.Method == "GET" && mgr.creds[roPwdFieldName] == password)) + + if !authOk { + w.Header().Set("WWW-Authenticate", + fmt.Sprintf("Basic realm=\"%s\"", operatorName)) + + http.Error(w, + http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + + mgr.log.V(5).Info("Authentication failed", "Username", username) + + return + } + + /* + * Validate the supplied path, and from this determine the name of the + * file which will be used. We need to ensure that we don't traverse + * out of our data path. The only valid directories are: '/fixpacks', + * and '/snapshots'. + */ + + isValid := false + listFiles := false + + if strings.HasPrefix(r.URL.Path, "/fixpacks/") { + basePath := filepath.Base(filepath.Clean(r.URL.Path)) + + if r.URL.Path == "/fixpacks/"+basePath { + isValid = true + } + } else if strings.HasPrefix(r.URL.Path, "/snapshots/") { + basePath := filepath.Base(filepath.Clean(r.URL.Path)) + + if r.URL.Path == "/snapshots/"+basePath && + strings.HasPrefix(basePath, "isva_") && + strings.HasSuffix(basePath, ".snapshot") { + isValid = true + } + } else if strings.HasPrefix(r.URL.Path, "/snapshots") && + r.Method == "GET" { + //If we are making a get request to the snapshots base URI then we want to return a list + // of known snapshots + isValid = true + listFiles = true + } + + if !isValid { + http.Error(w, + http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + mgr.log.V(5).Info("An invalid path has been requested", + "Path", r.URL.Path) + + return + } + + fileName := filepath.Join(dataRoot, r.URL.Path) + + /* + * Work out the client of the request. + */ + + client := r.URL.Query().Get("client") + + if len(client) == 0 { + client = r.Header.Get("X-Forwarded-For") + + if len(client) == 0 { + client = r.RemoteAddr + + if len(client) == 0 { + client = "unknown" + } + } + } + + /* + * Process the request based on the specified method. + */ + + switch r.Method { + /* + * For a GET we simply want to return the file. The ServeFile function + * will take care of constructing the response. + */ + + case "GET": + mgr.log.Info("Processing a GET", "Path", r.URL.Path, "Client", client) + if listFiles == true { + mgr.webMutex.RLock() + fp, err := os.Open(fileName) + if err != nil { + mgr.webMutex.RUnlock() + mgr.log.V(5).Error(err, "Error reading snapshot directory") + http.Error(w, + http.StatusText(http.StatusBadRequest), + http.StatusBadRequest) + return + } + fileList, err := fp.Readdir(0) + if err != nil { + mgr.webMutex.RUnlock() + mgr.log.V(5).Error(err, "Error listing files in snapshot diectory") + http.Error(w, + http.StatusText(http.StatusBadRequest), + http.StatusBadRequest) + return + } + type SnapshotProperties map[string]interface{} + var snapshots []SnapshotProperties + for _, snapshot := range fileList { + snapshots = append(snapshots, SnapshotProperties{"name": snapshot.Name(), "size": snapshot.Size(), + "lastModified": snapshot.ModTime().String()}) + } + mgr.webMutex.RUnlock() + jsonStr, err := json.Marshal(snapshots) + if err != nil { + mgr.log.V(5).Error(err, "Error serializing snapshot properties") + http.Error(w, + http.StatusText(http.StatusBadRequest), + http.StatusBadRequest) + return + } + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + w.Write(jsonStr) + } else { + mgr.webMutex.RLock() + http.ServeFile(w, r, fileName) + mgr.webMutex.RUnlock() + } + + /* + * For a POST we want to save the supplied file. + */ + + case "POST": + /* + * Work out some of the information associated with the request and + * then log the request. + */ + + modified := r.URL.Query().Get("modified") + modifiedStr := modified + + if len(modified) == 0 { + modifiedStr = "all" + } + + mgr.log.Info("Processing a POST", + "Path", r.URL.Path, + "Modified", modifiedStr, + "Client", client) + + /* + * Retrieve the file parameter from the form. + */ + + r.ParseMultipartForm(maxMemory) + + file, _, err := r.FormFile("file") + + if err != nil { + http.Error(w, + http.StatusText(http.StatusBadRequest), + http.StatusBadRequest) + + mgr.log.V(5).Error(err, "An invalid POST has been received") + + return + } + + defer file.Close() + + /* + * Create the file which is to be uploaded. + */ + + mgr.webMutex.Lock() + + dst, err := os.Create(fileName) + + if err != nil { + mgr.webMutex.Unlock() + + http.Error(w, err.Error(), http.StatusInternalServerError) + + mgr.log.V(5).Error(err, "Failed to create the file", + "File", fileName) + + return + } + + defer dst.Close() + + /* + * Save the file. + */ + + _, err = io.Copy(dst, file) + + if err != nil { + mgr.webMutex.Unlock() + + http.Error(w, err.Error(), http.StatusInternalServerError) + + mgr.log.V(5).Error(err, "Failed to copy the file", + "File", fileName) + + return + } + + mgr.webMutex.Unlock() + + /* + * Request a restart of all running containers in a separate + * thread. + */ + + go mgr.rollingRestart(filepath.Clean(r.URL.Path), modified) + + /* + * Return a '201 Created' response. + */ + + http.Error(w, "", http.StatusCreated) + + mgr.log.V(5).Info("The file has been saved", "File", fileName) + + /* + * For a DELETE we want to attempt to delete the specified file. The + * response will be different based on whether the file exists, and we + * were able to successfully delete the file. + */ + + case "DELETE": + mgr.log.Info("Processing a DELETE", + "Path", r.URL.Path, "Client", client) + + mgr.webMutex.Lock() + err := os.Remove(fileName) + mgr.webMutex.Unlock() + + var rspCode int + var rspText string + + if err == nil { + rspCode = http.StatusNoContent + rspText = "" + } else if os.IsNotExist(err) { + rspCode = http.StatusNotFound + rspText = http.StatusText(http.StatusNotFound) + } else { + rspCode = http.StatusInternalServerError + rspText = err.Error() + } + + if err == nil { + mgr.log.V(5).Error(err, "Failed to delete the file", + "File", fileName) + } else { + mgr.log.V(5).Info("Successfully deleted the file", + "File", fileName) + } + + http.Error(w, rspText, rspCode) + + /* + * All other methods are not supported. + */ + + default: + mgr.log.V(5).Info("Received a request with an invalid method", + "Path", r.URL.Path, + "Client", client, + "Method", r.Method) + + http.Error(w, + http.StatusText(http.StatusNotImplemented), + http.StatusNotImplemented) + + } +} + +/*****************************************************************************/ + +/* + * This function is used to generate a secure random password based on the + * specified password length. + */ + +func (mgr *SnapshotMgr) generateRandomString(length int) (string, error) { + const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" + + ret := make([]byte, length) + + for i := 0; i < length; i++ { + num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) + + if err != nil { + return "", err + } + + ret[i] = letters[num.Int64()] + } + + return string(ret), nil +} + +/*****************************************************************************/ + +/* + * The following function is used to generate a new public/private key + * pair. + */ + +func (mgr *SnapshotMgr) generateKey() (cert string, key string, err error) { + + mgr.log.V(9).Info("Entering a function", "Function", "generateKey") + + /* + * Generate the RSA key. + */ + + priv, err := rsa.GenerateKey(rand.Reader, keyLength) + + if err != nil { + mgr.log.Error(err, "Failed to generate an RSA key") + return + } + + /* + * Construct the x509 certificate. + */ + + host, _ := os.Hostname() + + template := x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + CommonName: host, + Organization: []string{"IBM"}, + }, + NotBefore: time.Now(), + NotAfter: time.Now().Add(time.Hour * 24 * 365 * 20), + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + IsCA: true, + } + + if ip := net.ParseIP(host); ip != nil { + template.IPAddresses = append(template.IPAddresses, ip) + } else { + template.DNSNames = append(template.DNSNames, host) + } + + //Hard code the service name as a SAN as this is what will be put in the generated secret + namespace, err := getLocalNamespace(mgr.log) + if err != nil { + namespace = "default" + } + template.DNSNames = append(template.DNSNames, fmt.Sprintf("%s.%s.svc.cluster.local:%d", + serviceName, namespace, httpsPort)) + template.DNSNames = append(template.DNSNames, fmt.Sprintf("%s.%s.svc.cluster.local", + serviceName, namespace)) + + derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, + &priv.PublicKey, priv) + + if err != nil { + mgr.log.Error(err, "Failed to generate the certificate") + return + } + + /* + * Convert the certificate. + */ + + out := &bytes.Buffer{} + + pem.Encode(out, &pem.Block{ + Type: "CERTIFICATE", + Bytes: derBytes, + }) + + cert = out.String() + + /* + * Convert the key. + */ + + out.Reset() + + pem.Encode(out, &pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(priv), + }) + + key = out.String() + + return +} + +/*****************************************************************************/ + +/* + * This function is used to create our secret and populate the secret with + * our required data. This data includes: + * - the read-only credentials + * - the read-write credentials + * - the server certificate and key + */ + +func (mgr *SnapshotMgr) createSecret( + client coreV1.SecretInterface, namespace string) ( + secret *apiV1.Secret, err error) { + + mgr.log.V(9).Info("Entering a function", "Function", "createSecret") + + /* + * Generate a random password for the read-only and read-write credentials. + */ + + ro_pwd, err := mgr.generateRandomString(pwdLength) + + if err != nil { + mgr.log.Error(err, "Failed to generate a password") + + return + } + + rw_pwd, err := mgr.generateRandomString(pwdLength) + + if err != nil { + mgr.log.Error(err, "Failed to generate a password") + + return + } + + /* + * Generate a self signed certificate and key. + */ + + cert, key, err := mgr.generateKey() + if err != nil { + return + } + + url := fmt.Sprintf("https://%s.%s.svc.cluster.local:%d", + serviceName, namespace, httpsPort) + + /* + * Create the secret. + */ + + secret = &apiV1.Secret{ + Type: apiV1.SecretTypeOpaque, + ObjectMeta: metaV1.ObjectMeta{ + Name: operatorName, + }, + StringData: map[string]string{ + userFieldName: snapshotMgrUser, + urlFieldName: url, + rwPwdFieldName: rw_pwd, + roPwdFieldName: ro_pwd, + certFieldName: cert, + keyFieldName: key, + }, + } + + secret, err = client.Create(context.TODO(), secret, metaV1.CreateOptions{}) + + if err != nil { + mgr.log.Error(err, "Failed to create the secret", + "Secret.Name", operatorName) + + return + } + + return +} + +/*****************************************************************************/ + +/* + * This function is used to load the relevant data from our secret. We need + * to obtain: + * - the read-only credentials + * - the read-write credentials + * - the server certificate and key + */ + +func (mgr *SnapshotMgr) loadSecret() (err error) { + var secretsClient coreV1.SecretInterface + var secret *apiV1.Secret + var namespace string + + mgr.log.V(9).Info("Entering a function", "Function", "loadSecret") + + /* + * Work out the namespace in which we are running. + */ + + namespace, err = getLocalNamespace(mgr.log) + + if err != nil { + return + } + + /* + * Create a new client based on our current configuration. + */ + + clientset, err := kubernetes.NewForConfig(mgr.config) + if err != nil { + mgr.log.Error(err, "Failed to create a new client") + + return + } + + /* + * Attempt to retrieve the secret. + */ + + secretsClient = clientset.CoreV1().Secrets(namespace) + secret, err = secretsClient.Get( + context.TODO(), operatorName, metaV1.GetOptions{}) + + if err != nil { + mgr.log.V(5).Info("Creating the secret", "Secret.Name", operatorName) + + /* + * The secret doesn't already exist and so we try to create the + * secret now. + */ + + secret, err = mgr.createSecret(secretsClient, namespace) + + if err != nil { + return + } + } else { + mgr.log.V(5).Info("Found the secret", "Secret.Name", operatorName) + } + + /* + * We now have the secret and so we need to store the data, also + * checking that all of the required data exists. + */ + + mgr.creds = make(map[string]string) + + keys := []string{ + userFieldName, + urlFieldName, + roPwdFieldName, + rwPwdFieldName, + certFieldName, + keyFieldName, + } + + for _, key := range keys { + value, ok := secret.Data[key] + + if !ok { + mgr.log.Error(err, "The secret is missing a required field", + "Secret.Name", operatorName, "Field.Name", key) + + err = errors.New("Missing field") + + return + } + + mgr.creds[key] = string(value) + } + + return +} + +/*****************************************************************************/ + +/* + * This function is used to initialize the snapshot manager. + */ + +func (mgr *SnapshotMgr) initialize() (err error) { + /* + * Initialise this object. + */ + + err = mgr.loadSecret() + if err != nil { + return + } + + mgr.restartMutex = &sync.Mutex{} + mgr.webMutex = &sync.RWMutex{} + + /* + * Create the directories which will store our data. + */ + + dirs := []string{ + dataRoot, + filepath.Join(dataRoot, "snapshots"), + filepath.Join(dataRoot, "fixpacks"), + } + + for _, dir := range dirs { + err = os.Mkdir(dir, 0700) + + if err != nil && !os.IsExist(err) { + mgr.log.Error(err, "Failed to create the data directory", + "Directory", dir) + + return + } else { + err = nil + } + + } + + return +} + +/*****************************************************************************/ + +/* + * This function is used to start the snapshot manager, and then wait until + * we are told to terminate. + */ + +func (mgr *SnapshotMgr) start() { + var err error + + mgr.log.Info("Starting the snapshot manager", "Port", httpsPort) + + /* + * Define the http server and server handler. + */ + + pair, err := tls.X509KeyPair( + []byte(mgr.creds[certFieldName]), + []byte(mgr.creds[keyFieldName])) + + if err != nil { + mgr.log.Error(err, "Failed to generate the X509 key pair") + + return + } + + mgr.server = &http.Server{ + Addr: fmt.Sprintf(":%v", httpsPort), + TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}}, + } + + mux := http.NewServeMux() + + mux.HandleFunc("/", mgr.serve) + + mgr.server.Handler = mux + + /* + * Start listening for requests in a different thread. + */ + + mgr.log.V(5).Info("Waiting for Web requests") + + go func() { + if err := mgr.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed { + mgr.log.Error(err, "Failed to start the snapshot manager") + } + }() + + /* + * Wait and listen for the OS shutdown singal. + */ + + signalChan := make(chan os.Signal, 1) + signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM) + <-signalChan + + mgr.log.Info("Received a shutdown signal, shutting down the snapshot " + + "manager gracefully") + + mgr.server.Shutdown(context.Background()) +} + +/*****************************************************************************/ diff --git a/src/internal/controller/suite_test.go b/src/internal/controller/suite_test.go new file mode 100644 index 0000000..1422c6b --- /dev/null +++ b/src/internal/controller/suite_test.go @@ -0,0 +1,65 @@ +/* + * Copyright contributors to the IBM Security Verify Access Operator project + */ + +package controllers + +import ( + "path/filepath" + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" + //+kubebuilder:scaffold:imports +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var cfg *rest.Config +var k8sClient client.Client +var testEnv *envtest.Environment + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Controller Suite") +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: true, + } + + cfg, err := testEnv.Start() + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + + err = ibmv1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + //+kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) + +}) + +var _ = AfterSuite(func() { + By("tearing down the test environment") + err := testEnv.Stop() + Expect(err).NotTo(HaveOccurred()) +}) diff --git a/src/internal/controller/utils.go b/src/internal/controller/utils.go new file mode 100644 index 0000000..824cea6 --- /dev/null +++ b/src/internal/controller/utils.go @@ -0,0 +1,55 @@ +/* + * Copyright contributors to the IBM Security Verify Access Operator project + */ + +package controllers + +import ( + "github.com/go-logr/logr" + "io/ioutil" + "k8s.io/client-go/tools/clientcmd" + "k8s.io/client-go/tools/clientcmd/api" +) + +/*****************************************************************************/ + +/* + * This function is used to determine the namespace in which the current + * pod is running. + */ + +func getLocalNamespace(log logr.Logger) (namespace string, err error) { + var namespaceBytes []byte + var clientCfg *api.Config + + log.V(9).Info("Entering a function", "Function", "getLocalNamespace") + + /* + * Work out the namespace which should be used. In a Kubernetes + * environment we read this from the namespace file, otherwise we use + * the default namespace in the kubectl file. + */ + + namespace = "default" + + namespaceBytes, err = ioutil.ReadFile(k8sNamespaceFile) + + if err != nil { + clientCfg, err = clientcmd.NewDefaultClientConfigLoadingRules().Load() + + if err != nil { + log.Error(err, "Failed to load the client configuration") + return + } + + namespace = clientCfg.Contexts[clientCfg.CurrentContext].Namespace + } else { + namespace = string(namespaceBytes) + } + + log.V(5).Info("Found a namespace to use", "Namespace", namespace) + + return +} + +/*****************************************************************************/ From 17f5efe9663c00ab68cab55a24b7ad83d7430e79 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Fri, 11 Oct 2024 11:57:55 +1000 Subject: [PATCH 03/13] Udpate path for operator cert for backwards compatibility --- src/internal/controller/constants.go | 2 +- .../controller/ibmsecurityverifyaccess_controller.go | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/internal/controller/constants.go b/src/internal/controller/constants.go index c30da3c..87f0a10 100644 --- a/src/internal/controller/constants.go +++ b/src/internal/controller/constants.go @@ -17,7 +17,7 @@ const k8sNamespaceFile string = "/var/run/secrets/kubernetes.io/serviceaccount/n * THe name of the kubernetes file which is used to mount the CA X509 for the * operator's snapshot management service. */ -const k8sSnapMgrCertDir string = "/var/run/secrets/kubernetes.io/verify-access-operator" +const k8sSnapMgrCertFile string = "/tmp/verify-access-operator.crt" /* * The name which is given to our operator. This same name will also be diff --git a/src/internal/controller/ibmsecurityverifyaccess_controller.go b/src/internal/controller/ibmsecurityverifyaccess_controller.go index a7abaa1..c81811d 100644 --- a/src/internal/controller/ibmsecurityverifyaccess_controller.go +++ b/src/internal/controller/ibmsecurityverifyaccess_controller.go @@ -549,6 +549,9 @@ func (r *IBMSecurityVerifyAccessReconciler) deploymentForVerifyAccess( Name: "CONFIG_SERVICE_TLS_CACERT", Value: m.Spec.SnapshotTLSCacert, }) + if m.Spec.SnapshotTLSCacert == "operator" { + addSnapMgrCert = true + } } else { addSnapMgrCert = true @@ -604,7 +607,7 @@ func (r *IBMSecurityVerifyAccessReconciler) deploymentForVerifyAccess( volMnts = append(volMnts, corev1.VolumeMount{ Name: operatorName, ReadOnly: true, - MountPath: k8sSnapMgrCertDir, + MountPath: k8sSnapMgrCertFile, SubPath: certFieldName, }) vols = append(vols, corev1.Volume{ @@ -622,7 +625,6 @@ func (r *IBMSecurityVerifyAccessReconciler) deploymentForVerifyAccess( }, }) } - r.Log.V(1).Info(fmt.Printf("%#v\n", maxVolMnts)) /* * Set up the rest of the deployment descriptor. */ From cfcd52e16221d2172f9d8bbe9855f48fd47abd17 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 21 Nov 2024 06:39:13 +1000 Subject: [PATCH 04/13] update product name --- .../ibmsecurityverifyaccess_controller.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/internal/controller/ibmsecurityverifyaccess_controller.go b/src/internal/controller/ibmsecurityverifyaccess_controller.go index c81811d..ed833f2 100644 --- a/src/internal/controller/ibmsecurityverifyaccess_controller.go +++ b/src/internal/controller/ibmsecurityverifyaccess_controller.go @@ -674,7 +674,7 @@ func (r *IBMSecurityVerifyAccessReconciler) deploymentForVerifyAccess( annotations := map[string]string{ "productMetric": "PROCESSOR_VALUE_UNIT", "productChargedContainers": "All", - "productName": "IBM Security Verify Access Virtual Edition", + "productName": "IBM Verify Identity Access Virtual Edition", "productId": "e2ba21cf5df245bb8524be1957857d9f", } prod := m.Spec.LicenseAnnotations.Production @@ -682,34 +682,34 @@ func (r *IBMSecurityVerifyAccessReconciler) deploymentForVerifyAccess( switch module { case "access_control": if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Edition AAC Module Non-Production AOS" + annotations["productName"] = "IBM Verify Identity Access Virtual Edition AAC Module Non-Production AOS" annotations["productId"] = "707987d5b0ca48e8af8e5856c027980f" } else { - annotations["productName"] = "IBM Security Verify Access Virtual Edition AAC Module AOS" + annotations["productName"] = "IBM Verify Identity Access Virtual Edition AAC Module AOS" annotations["productId"] = "25d814176e0f4f21b64db66b916414d4" } case "federation": if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Ed Federation Module Non-Production AOS" + annotations["productName"] = "IBM Verify Identity Access Virtual Ed Federation Module Non-Production AOS" annotations["productId"] = "01a9d83608044a4687b3d29a0d4d0a35" } else { - annotations["productName"] = "IBM Security Verify Access Virtual Edition Federation Module AOS" + annotations["productName"] = "IBM Verify Identity Access Virtual Edition Federation Module AOS" annotations["productId"] = "13ce5584032a42eab5704711369a11a4" } case "enterprise": if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Enterprise Edition Non-Production" + annotations["productName"] = "IBM Verify Identity Access Virtual Enterprise Edition Non-Production" annotations["productId"] = "de0d1dce07f145ce9380be5182a68544" } else { - annotations["productName"] = "IBM Security Verify Access Virtual Enterprise Edition" + annotations["productName"] = "IBM Verify Identity Access Virtual Enterprise Edition" annotations["productId"] = "62b1cf23e32140a684284a0cf9a37329" } default: if prod == false { - annotations["productName"] = "IBM Security Verify Access Virtual Edition Non-Production" + annotations["productName"] = "IBM Verify Identity Access Virtual Edition Non-Production" annotations["productId"] = "8e4a78ab1e9249b1b46b6870babf4945" } // else we use the default } From 9aed2f496d25e615fb32f984224c65752b6a19e2 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 08:35:46 +1000 Subject: [PATCH 05/13] Migrate from kube-rbac-proxy to golang http server; update Operator with rerand from verify access to verify identity access; migrate operator sdk from v3 to v4 --- README.md | 68 ++++++++++--------- build/operator_build.py | 2 +- src/.gitignore | 2 + src/cmd/main.go | 36 ++++++++++ src/config/default/kustomization.yaml | 5 +- src/config/default/manager_config_patch.yaml | 4 ++ src/config/default/metrics_service.yaml | 15 ++++ src/config/manager/kustomization.yaml | 2 +- src/config/manager/manager.yaml | 1 + ...access-operator.clusterserviceversion.yaml | 14 ++-- src/config/rbac/kustomization.yaml | 19 ++++-- src/config/rbac/metrics_auth_role.yaml | 17 +++++ .../rbac/metrics_auth_role_binding.yaml | 12 ++++ src/config/rbac/metrics_reader_role.yaml | 9 +++ .../ibm_v1_ibmsecurityverifyaccess.yaml | 29 ++++++-- src/go.mod | 26 +++++++ src/go.sum | 57 ++++++++++++++++ src/internal/controller/snapshotmgr.go | 13 ++-- 18 files changed, 274 insertions(+), 57 deletions(-) create mode 100644 src/config/default/metrics_service.yaml create mode 100644 src/config/rbac/metrics_auth_role.yaml create mode 100644 src/config/rbac/metrics_auth_role_binding.yaml create mode 100644 src/config/rbac/metrics_reader_role.yaml diff --git a/README.md b/README.md index 57e3833..a8c061c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# IBM Security Verify Access Operator +# IBM Verify Identity Access Operator * [Overview](#overview) * [Installation](#installation) + [RedHat OpenShift Environment](#redhat-openshift-environment) @@ -19,17 +19,19 @@ ## Overview -In a world of highly fragmented access management environments, [IBM Security Verify Access](https://www.ibm.com/au-en/products/verify-access) helps you simplify your users' access while more securely adopting web, mobile and cloud technologies. This solution helps you strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and its mobile multi-factor authentication capability, IBM Verify. Take back control of your access management with IBM Security Verify Access. +In a world of highly fragmented access management environments, [IBM Verify Identity Access](https://www.ibm.com/au-en/products/verify-access) helps you simplify your users' access while more securely adopting web, mobile and cloud technologies. This solution helps you strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and its mobile multi-factor authentication capability, IBM Verify. Take back control of your access management with IBM Verify Identity Access. -For a detailed description of IBM Security Verify Access refer to the [Official documentation](https://www.ibm.com/docs/en/sva). +For a detailed description of IBM Verify Identity Access refer to the [Official documentation](https://www.ibm.com/docs/en/sva). -The IBM Security Verify Access operator provides lifecycle management of the lightweight containers which are used to protect an environment, namely: +The IBM Verify Identity Access operator provides lifecycle management of the lightweight containers which are used to protect an environment, namely: * [Web Reverse Proxy](https://www.ibm.com/docs/en/sva/latest?topic=support-docker-image-verify-access-web-reverse-proxy) + ds-docker-image-verify-identity-access-web-reverse-proxy * [Runtime](https://www.ibm.com/docs/en/sva/latest?topic=support-docker-image-verify-access-runtime) + support-docker-image-verify-identity-access-runtime * [Distributed Session Cache](https://www.ibm.com/docs/en/sva/latest?topic=support-docker-image-verify-access-distributed-session-cache) -The operator will manage the deployment of these lightweight IBM Security Verify Access worker containers, and also control the rolling restart of these containers when a configuration snapshot is updated, as depicted in the following figure. +The operator will manage the deployment of these lightweight IBM Verify Identity Access worker containers, and also control the rolling restart of these containers when a configuration snapshot is updated, as depicted in the following figure. ![Overview](src/images/Overview.png) @@ -47,7 +49,7 @@ Some points to note about the figure: ### RedHat OpenShift Environment -The IBM Security Verify Access Operator is available from the RedHat community operator catalog. Information on how to install a community operator in OpenShift can be obtained from the official RedHat OpenShift documentation. +The IBM Verify Identity Access Operator is available from the RedHat community operator catalog. Information on how to install a community operator in OpenShift can be obtained from the official RedHat OpenShift documentation. ### Standard Kubernetes Environment @@ -61,31 +63,31 @@ The information provided by [OperatorHub.io](https://operatorhub.io/) allows the ##### Installing -To install the IBM Security Verify Access operator from OperatorHub.io: +To install the IBM Verify Identity Access operator from OperatorHub.io: -1. Access the [IBM Security Verify Access operator page on OperatorHub.io](https://operatorhub.io/operator/ibm-security-verify-access-operator) in a browser. +1. Access the [IBM Verify Identity Access operator page on OperatorHub.io](https://operatorhub.io/operator/ibm-security-verify-access-operator) in a browser. 2. Click the Install button on the page and follow the installation instructions. -3. Ensure that the IBM Security Verify Access operator has been created by the Operator Lifecycle Manager. The phase should be set to "Succeeded". Note that this may take a few minutes. +3. Ensure that the IBM Verify Identity Access operator has been created by the Operator Lifecycle Manager. The phase should be set to "Succeeded". Note that this may take a few minutes. ```shell kubectl get csv -n operators NAME DISPLAY VERSION REPLACES PHASE -verify-access-operator.v23.3.0 IBM Security Verify Access Operator 23.3.0 Succeeded +verify-access-operator.v24.12.0 IBM Verify Identity Access Operator 24.12.0 Succeeded ``` -At this point the Operator Lifecycle Manager has been installed into the Kubernetes cluster, the IBM Security Verify Access operator has been deployed and a subscription has been created that will monitor for any updates to the operator on OperatorHub.io. The IBM Security Verify Access operator is now operational and any subsequent custom resources of the kind "IBMSecurityVerifyAccess" will result in the operator being invoked to create the deployment. +At this point the Operator Lifecycle Manager has been installed into the Kubernetes cluster, the IBM Verify Identity Access operator has been deployed and a subscription has been created that will monitor for any updates to the operator on OperatorHub.io. The IBM Verify Identity Access operator is now operational and any subsequent custom resources of the kind "IBMSecurityVerifyAccess" will result in the operator being invoked to create the deployment. #### Manual Installation -The IBM Security Verify Access operator in essence is made up of 2 components: +The IBM Verify Identity Access operator in essence is made up of 2 components: 1. The custom resource definition 2. The controller application -Each of these needs to be deployed into the Kubernetes environment before the operator can function. The definitions for these resources are published with the IBM Security Verify Access Operator GitHub release in a single `bundle.yaml` file. +Each of these needs to be deployed into the Kubernetes environment before the operator can function. The definitions for these resources are published with the IBM Verify Identity Access Operator GitHub release in a single `bundle.yaml` file. To see a list of available releases refer to the releases page in GitHub: [https://github.com/IBM-Security/verify-access-operator/releases](https://github.com/IBM-Security/verify-access-operator/releases). @@ -101,7 +103,7 @@ kubectl get deployment -n verify-access-operator-system NAME READY UP-TO-DATE AVAILABLE AGE verify-access-operator-controller-manager 1/1 1 1 21s ``` -At this point the IBM Security Verify Access operator has been deployed and is operational. Any subsequent custom resources of the kind "IBMSecurityVerifyAccess" will result in the operator being invoked to create the deployment. +At this point the IBM Verify Identity Access operator has been deployed and is operational. Any subsequent custom resources of the kind "IBMSecurityVerifyAccess" will result in the operator being invoked to create the deployment. ## Usage @@ -148,7 +150,7 @@ The following sections describe the various methods which can be used to access The GET method can be used to retrieve a specific snapshot. An example curl command which can be used to retrieve a snapshot is as follows: ```shell -curl -k -u $USER:$RO_PWD -O $URL/snapshots/isva_10.0.5.0_published.snapshot +curl -k -u $USER:$RO_PWD -O $URL/snapshots/ivia_10.0.5.0_published.snapshot ``` #### POST @@ -166,7 +168,7 @@ The service names used in the `modified` query string argument is as follows: An example curl command which can be used to upload a new snapshot is as follows: ```shell -curl -k -u $USER:$RW_PWD -F 'file=@/var/shared/snapshots/isva_10.0.5.0_published.snapshot' $URL/snapshots/isva_10.0.5.0_published.snapshot?modified=wrp:default,runtime +curl -k -u $USER:$RW_PWD -F 'file=@/var/shared/snapshots/ivia_10.0.5.0_published.snapshot' $URL/snapshots/ivia_10.0.5.0_published.snapshot?modified=wrp:default,runtime ``` #### DELETE @@ -174,13 +176,13 @@ curl -k -u $USER:$RW_PWD -F 'file=@/var/shared/snapshots/isva_10.0.5.0_published The DELETE method can be used to delete a specific snapshot. An example curl command which can be used to delete a snapshot is as follows: ```shell -curl -k -u $USER:$RW_PWD -X DELETE $URL/snapshots/isva_10.0.5.0_published.snapshot +curl -k -u $USER:$RW_PWD -X DELETE $URL/snapshots/ivia_10.0.5.0_published.snapshot ``` ### Partitioning the Cluster It is important to be able to partition the environment so that the same Kubernetes cluster can be used for test/development/production/etc. To this end a snapshot identifier can be specified when deploying a new worker container - this is an optional part of the custom resource definition of the operator. -The name of the snapshot which is used by the container is then constructed from the snapshot identifier, as: `isva__.snapshot` +The name of the snapshot which is used by the container is then constructed from the snapshot identifier, as: `ivia__.snapshot` The operator will be able to store multiple snapshots, and on a snapshot update will only perform a rolling restart on those deployments which are using the updated snapshot. @@ -191,7 +193,7 @@ The configuration container can also be configured to use a snapshot with a spec In order to deploy a worker container using the operator a new IBMSecurityVerifyAccess custom resource must be created in the environment. -The following example (isva-wrp.yaml) shows the custom resource for a new worker container: +The following example (ivia-wrp.yaml) shows the custom resource for a new worker container: ```yaml apiVersion: ibm.com/v1 @@ -199,11 +201,11 @@ kind: IBMSecurityVerifyAccess metadata: # The name which will be give to the deployment. - name: isva-sample + name: ivia-sample spec: # The name of the image which will be used in the deployment. - image: "icr.io/isva/verify-access-wrp:10.0.5.0" + image: "icr.io/ivia/ivia-wrp:11.0.0.0" # The number of pods which will be started for the deployment. replicas: 1 @@ -224,7 +226,7 @@ spec: # fixpacks: # - "test.fixpack" - # The name of the Verify Access instance which is being deployed. This value + # The name of the Verify Identity Access instance which is being deployed. This value # is only used for WRP and DSC deployments and is ignored for Runtime # deployments. instance: default @@ -237,11 +239,11 @@ spec: # the pod. More info can be found at: # https://kubernetes.io/docs/concepts/storage/volumes volumes: - - name: isva-config + - name: ivia-config emptyDir: {} # The list of references to secrets in the same namespace to use for the - # pulling of the Verify Access image. + # pulling of the Verify Identity Access image. # imagePullSecrets: # - name:my-secret @@ -250,21 +252,21 @@ spec: # The X509 certificate to verify the connection to the configuration snapshot # service. The default value for this property is "operator", which reads the "tls.cert" - # value from the verify-access-operator secret created in the namespace that the Verify + # value from the verify-access-operator secret created in the namespace that the Verify Identity # Access pods are deployed to. snapshotTLSCacert: "operator" # The IBM License Metric Tool annotations to add to the runtime container. These annotations a required - # by IBM to track license useage for the IBM Security Verfy Access product. Administartors have the option + # by IBM to track license useage for the IBM Verify Identity Access product. Administartors have the option # of using licence codes for WebSEAL, Advanced Access Cotnrol, Federation or Enterprise; as well as production - # or non-production (development) licenses. The actual license codes you sould deploy will depend on your + # or non-production (development) licenses. The actual license codes you should deploy will depend on your # licensing agreement with IBM. ilmtAnnotations: - module: welseal + module: webseal production: true - # Administarators can optionally set additional annotations to add to deployed Verify Access runtime + # Administarators can optionally set additional annotations to add to deployed Verify Identity Access runtime # containers. This may be used for integration with third party applications such as log aggregation # or infrastructure monitoring tools. Character restrictions for custom annotations are the same for # any other Kubernets annotation. @@ -306,7 +308,7 @@ spec: The following command can be used to create the deployment from this file: ```shell -kubectl apply -f isva-wrp.yaml +kubectl apply -f ivia-wrp.yaml ``` #### Container Defaults @@ -395,14 +397,14 @@ An example NodePort service definition is provided below: apiVersion: v1 kind: Service metadata: - name: isva-sample + name: ivia-sample spec: ports: - port: 9443 - name: isva-sample + name: ivia-sample protocol: TCP nodePort: 30443 selector: - app: isva-sample + app: ivia-sample type: NodePort ``` diff --git a/build/operator_build.py b/build/operator_build.py index 3c5b383..fbedb5b 100755 --- a/build/operator_build.py +++ b/build/operator_build.py @@ -71,7 +71,7 @@ def validate_source_path(source_path): sys.exit(1) - go_module = os.path.join(source_path, "src", "main.go") + go_module = os.path.join(source_path, "src", "cmd", "main.go") if not os.path.isfile(go_module): print("Error> the specified source path is invalid: {0}!".format( diff --git a/src/.gitignore b/src/.gitignore index 9a08e7d..e1e2e5c 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -22,6 +22,8 @@ testbin/* # Additional generated files to skip. api/v1/zz_generated.deepcopy.go bundle/* +bundle.yaml +bundle.Dockerfile # editor and IDE paraphernalia .idea diff --git a/src/cmd/main.go b/src/cmd/main.go index 418596e..6c66f3d 100644 --- a/src/cmd/main.go +++ b/src/cmd/main.go @@ -5,6 +5,7 @@ package main import ( + "crypto/tls" "flag" "os" @@ -18,6 +19,8 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" ibmv1 "github.com/ibm-security/verify-access-operator/api/v1" "github.com/ibm-security/verify-access-operator/internal/controller" @@ -38,23 +41,56 @@ func init() { func main() { var metricsAddr string + var secureMetrics bool + var tlsOpts []func(*tls.Config) + var enableHTTP2 bool var enableLeaderElection bool var probeAddr string flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics service") opts := zap.Options{ Development: true, } opts.BindFlags(flag.CommandLine) flag.Parse() + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, + Metrics: metricsServerOptions, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "0941aff7.ibm.com", diff --git a/src/config/default/kustomization.yaml b/src/config/default/kustomization.yaml index b0d7074..75e9ae5 100644 --- a/src/config/default/kustomization.yaml +++ b/src/config/default/kustomization.yaml @@ -25,12 +25,15 @@ bases: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +- metrics_service.yaml patchesStrategicMerge: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml +#- manager_auth_proxy_patch.yaml + +#Migration from kube-rbac-proxy t WithAuthenticationAndAuthorization # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/src/config/default/manager_config_patch.yaml b/src/config/default/manager_config_patch.yaml index 06b71c8..49b7985 100644 --- a/src/config/default/manager_config_patch.yaml +++ b/src/config/default/manager_config_patch.yaml @@ -11,7 +11,11 @@ spec: containers: - name: manager args: + - "--metrics-bind-address=:8443" - "--config=controller_manager_config.yaml" + ports: + - containerPort: 8443 + - containerPort: 7443 volumeMounts: - name: manager-config mountPath: /controller_manager_config.yaml diff --git a/src/config/default/metrics_service.yaml b/src/config/default/metrics_service.yaml new file mode 100644 index 0000000..ef41474 --- /dev/null +++ b/src/config/default/metrics_service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + control-plane: controller-manager diff --git a/src/config/manager/kustomization.yaml b/src/config/manager/kustomization.yaml index 693e734..71866e1 100644 --- a/src/config/manager/kustomization.yaml +++ b/src/config/manager/kustomization.yaml @@ -15,4 +15,4 @@ kind: Kustomization images: - name: controller newName: icr.io/isva/verify-access-operator - newTag: 24.10.0 + newTag: 24.12.0 diff --git a/src/config/manager/manager.yaml b/src/config/manager/manager.yaml index cd9ac50..3d9a8e0 100644 --- a/src/config/manager/manager.yaml +++ b/src/config/manager/manager.yaml @@ -30,6 +30,7 @@ spec: - command: - /manager args: + - --metrics-bind-address=:8443 - --leader-elect image: controller:latest name: manager diff --git a/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml b/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml index 5d97e32..beb905d 100644 --- a/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml +++ b/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml @@ -8,8 +8,8 @@ metadata: certified: "false" containerImage: icr.io/isva/verify-access-operator:0000.0000.0000 createdAt: --date-- - description: The IBM Security Verify Access Operator manages the lifecycle of - IBM Security Verify Access worker containers. + description: The IBM Verify Identity Access Operator manages the lifecycle of + IBM Verify Identity Access worker containers. repository: https://github.com/IBM-Security/verify-access-operator support: IBM name: ibm-security-verify-access-operator.v0000.0000.0000 @@ -56,18 +56,18 @@ spec: x-descriptors: - 'urn:alm:descriptor:io.kubernetes.conditions' description: |+ - In a world of highly fragmented access management environments, [IBM Security Verify Access](https://www.ibm.com/au-en/products/verify-access) helps you simplify your users' access while more securely adopting web, mobile and cloud technologies. This solution helps you strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and its mobile multi-factor authentication capability, IBM Verify. Take back control of your access management with IBM Security Verify Access. + In a world of highly fragmented access management environments, [IBM Verify Identity Access](https://www.ibm.com/au-en/products/verify-access) helps you simplify your users' access while more securely adopting web, mobile and cloud technologies. This solution helps you strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and its mobile multi-factor authentication capability, IBM Verify. Take back control of your access management with IBM Verify Identity Access. - The IBM Security Verify Access operator provides lifecycle management of the lightweight containers which are used to protect an environment, namely: + The IBM Verify Identity Access operator provides lifecycle management of the lightweight containers which are used to protect an environment, namely: * [Web Reverse Proxy](https://www.ibm.com/docs/en/sva/latest?topic=support-docker-image-verify-access-web-reverse-proxy) * [Runtime](https://www.ibm.com/docs/en/sva/latest?topic=support-docker-image-verify-access-runtime) * [Distributed Session Cache](https://www.ibm.com/docs/en/sva/latest?topic=support-docker-image-verify-access-distributed-session-cache) - The operator will manage the deployment of these lightweight IBM Security Verify Access worker containers, and also control the rolling restart of these containers when a configuration snapshot is updated. + The operator will manage the deployment of these lightweight IBM Verify Identity Access worker containers, and also control the rolling restart of these containers when a configuration snapshot is updated. See the project [Readme](https://github.com/IBM-Security/verify-access-operator/blob/master/README.md) for further information and details. - displayName: IBM Security Verify Access Operator + displayName: IBM Verify Identity Access Operator icon: - base64data: iVBORw0KGgoAAAANSUhEUgAAAKAAAACgCAQAAAAhxq+mAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQfkAQYXFCksf3+UAAAMEElEQVR42u2ce3RUxRnAf7shT5JAwjvySIKCEKyICgkqCLYKiGBQq6eCini0qBWOeny02sfpMaBWlP6DQm2PwPFUK68KBDiAFTShPJUQIDwEEkASCQnkzSbZ/pHL7N27d3fv3t3sTZf5zT+TzHxzZ76dO49vvjsgkUgkEolEIpFIJBKJRCKRSCQSiUQikUgkEolEIpFIJBKJJNKwWfz8KNK4iQySucw5DnCI+pBLRCx2sphPEVU046SVek6zhgdICqFEBBPDDA7SilMTLvER6SGSiGA68QI/eaiiLbSwlmtDIBHRPEi5F2U4cdLKMlKDlggLUZaoL533GaTEmyliFRspJobu2AGwMYhS9gQlEdHMoVnpORfJI4NoIJoM8rgo+lQBPYOSiGAS2ao0uZk84lUp8eQJRVVzfxASEc0NnFKa/B2ZmrRMvhM96k9BSIQNe/gfST8SlVgBZZq0MgpV+eJMS4QNKxSYQCclVolDk+bgvE6+wCXChhUKrKdZiXUjWpMWTXedfIFLhA0rFFhGrRIbTT9NWj9yRPw0jaYlwoYVCjzBcSU2jKc0c+pTDFPiF9kXhESE476qywx4HWhEIkxYY85K53NuVeLNFFPIebqTQ5aYBBqZw+KgJCKchwLe2QYuEdH4tq2sC9gas+5qs8Z4t+7VsJiMEElEOHaG8TYHqKJFZV9+0KdFOlCJdsf6M5FrVCccRYbORAKVkEgkEkk7Eb5JxE5vrmWn3+2+jWhSyaAv3UkiFmiihp84w0kqceD0Ix/HSI5xjtbwNCs89rNEbmACU9jIDp/5ujGUUdzGYLqSSJwwXTlooI5qSihgBwep9FFGK5OYwJfkU0RNeJTYnnSiPzNZwY84ucAkr/miyGQuGznvY7vWFirZyFwyfZwnTuICTs6xkifpH34Ta+hIZBzzKaJBafpWr7vVTF7nAJf9Ku9KuEwxv/W6+0gVR1ANHOAdxv//uX7EcB1Ps45zqkY386Ju3iRmsFMYq4yHZnYyw4tqXnQrr5x8nmEQsVarxRjJ3MNCDuHQNPgkWTq5M/iQmoCV59oFf6jbD7M4qcnpoIS/MoEulu+9fBBDFs+zxcs4tsTjxMzGKL4y0ffc++FXjPJQShxLvIyfW3mBYR2vL9rpxmSWcIQWLw3VO/S+i6KglHclFHGXR9n3U+3V9HWUvzFFOIVYTjTDeZntKtO6XviWbhq5sRSHRH1OnBQzVlN6Nwp8SlziG15hBDFWqs5OH6axjB90XsNGDrKCCvH3axrZEewLmfqcONnHCM0TXhNp5azgII06ffEEy3mAtGD6otlVUiw/YyITudHtjAzASTUFrCOf0UxQ/lfKJk2uLqxhDf52FUaxAV00/9vEs8oRaGdWUMAkJjGarqrx0k466UyjiPXksz9cR6J2BvAIn1Om2+++ZwFjSAESWC7+v9xDze1PvOr5y0gAUhjDAr7X6YvNlPEvfkV6+46LNhLJYR67dKtQziqeIEP8wsM5raTV8nDY1QfwMLVKDU5zo2hDBk+wknKdn7+JPbzNaJLaY6ljI5OZrNJ9cCO7mEc2iW4PfkPk3E1vSxTYm93i5/2dW1sSyfbSEVqoYA2zGBi6vmgjhbG876Xrl/IZjzDA43FpbBe5fm/RgsHOH0QdttHHI3UAj/AZpR5LfidN7Gch40gNti/aSedZ1lGlcxZWTyFvcouXRekU6pR8ZSrflXCTQ5lSizqm6OaI5RbepJB6j/a1Uk0+z5Fh/ufvz6vs1+13x1lKLn28Fh3N30XuLyyYQK4QzwpRj489/LquYCeNXC/LsSaKeI0BgT86msls1ynwItt4ieFeK9PGMH4QFZhumfoAptOk1OS47l5c3WJvG4JmtjPZT4s1JPKyhyNFC0dYzGS6GejSL4lx5Tszv14IGSAcgB1erEFq2raki3W2pOW8LLxk/ZLMW2IB0BbOs5nnyTK48enJFiE5z6IPKa4QxXxRl830MCTTZhTZrDGK1PIWyZ6ZPWeZOF7hdZXlpJzVrGQHlwxX+h6+UH6tcn7JNlVKPNO5JmT7Dz1snGE5Dar/jOFzegFQywMeOyLvJJNDLlNVS7AG8viL//3K41wQWnewjnEBOm5H8aGQX0tnt7SeHA7Bvtd3OKzxEuzMWpG2KMD3IY47WauylF9ghj+RG1U2kno+MLEEHsIhof4nNWm9KW13BZZ61HmWmAwPcX3A7enFe2JJ5qSIG3xlTuAjVe9719RZwmxR3SKu06T14Wy7K/Csx5J5kLA7OphtokWJzBNzuZNFvpZldwoPvFb+qfJ+N05XNohHLfSYr61RYBQLRWo+XU20KpWlYitR4WF7VD3I1f9KxPY7MMaJEfQC4z1SrVEg3KWq1Z2m2jWUA6o+qOoY6j5yHXcosVY+Yb+Jx9iZSooS38VeU1VtD/awS4mlMNXU1uwg/6BFiY9Re8OqCxvBQCV2jNWYWWwMFL2uhTVUW6cxDdX8WzR/vMfXdsb4ksOilSrrt0uBnRguFsqFHDX1kNsZosSO8R+rtKXLVxxTYkO53VQJx/lWicVyk2s55FJgPEOV2GV2enyRZoQEcsURwdeUWKowLSV8rcQ6kUuCiRJaVI5RQ1wluM5EYumrxOo5ZKqSN4svOWpZJV4ZNbW8R5KpwcEoNmrEZ2HuzV/No8qyfiQj+MZE2YeoVzYV/Yj1dFzqLb7JrRAvYiDYyRPz1JYO+O14T+Ex4+QtUxPJQOGqctK1WHcVZBMGm1aaTBTfj4lKrJl8KqzWlwcV5Iu3YoJ42wKhSfgcRrtsCC4FOoXa7KbGiNvFGFrGBouVpc8GSpVYFreZkI8X2mpyDUMuBTqE22IMaQEXHkeumMM72gRyhcPCMhRLrolv2/uIFqo++3YpsEn8Pgl+bLd6DGekEqtntak5vP1xsFp8U5JtYqeVJd7MUtcg51JgPcVKLJqRAf4+dn4hPoTeK1b9HY+d4ovifvw8wBO3GEaJA7Ri18c9LgW2sk/8O0eMZ8bozVQl1sImzlqtJ6+cZZOYCKYGaKobLMbNOvbpu7Cnqy4QmR/QRP9rcXZ3huFWa8knN3FGqWkDzwQgZ+OPwh6zz9s5j413hQJPMcZw4dezV8gttfAQ0wgJLBN13c1gw3LZHBdy76hffvdx4FZWihXSZmaJacUXXVggLM+VPMZ6H3mTeDoMO5HFPj9vuJelwtn9Y17iooFS01jMvUq8jGns9pYxhnfEgV4Ly3Usa1qSyRNe+E4+8bOCtMoeqKazqg82kGfA6t6DJcLK3sLbvs8mB7JDFO/gC4b4nKvSWKhyiijhFj9V6QgKhFs5KnLX84HPVa+NgSxXGfQLhcnPK/epGtnKXmZ4uC62EcdENqocc6qZ6Xfi6RgKtDNL5UHtYBMTvYzciTxEocov6Cz3+VMfRPOc6mDTySXWM5PBpCiWmyiSyWQan6oceJ3U8aaBtWPHUCDE8UfVSZuTCj5lGpkkK3a+KLpwLY+ymipVrkpmezp46L2gsczmDTencAdnOMApqoAk+pJFhptXVh0LeNfAl2l92GOgecHxIzfzo99cSbzKXLdT6yZOUMxpLgFd6M8w+ruNdpX8mUVcNlaJWB7jmOHf/DRzDPqNdJQeCJDIXOFD6z8cZUZgX5fYyWaljtecNjSwmbsNn/d3JAVCJ+5mi477njbUsYJRZiyIqTzBFrexwj00UsBv6BnAntIazwTv2OjFCxSqZlltqGULj/u60sdf43uRzQRy6EUy8dgAJ43U8BO7WU8BZwhkWdyTbQGs/s1xhDsCMufa6MttTORmepBEHDaglQZqOEchG9jhuzQjvSeKVAaTTk86A/Wc5xQlnDdhtLLCO8sY0fRgEOl0Jx4ndVRwkhKqdE92JBKJRCKRSCQSSbBYdQnIOMZCyPYkNmAbWy1qiyWMUJ3khSJ43pkQ8YxVuW0HG4q9e85HMuPZHxL16d0bc1XQfjcXXUVksKgd7s66qkhiOv/VubfAf9/zfnvbVUdGSO8PvCqJIpM5bAjJDZZhpWMNv6kMJZvRDCaFzsRr7lCt4oiBO1TDTMdSYFuN2m7xvYYemlt8T3DBwC2+EolEIpFIJBKJRCKRSCQSiUQikUgkEolEIpFIJBKJRCKRSCRB8j/lg3vQkTaFgwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wMS0wNlQyMzoyMDo0MS0wNTowME+diI0AAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDEtMDZUMjM6MjA6NDEtMDU6MDA+wDAxAAAAAElFTkSuQmCC mediatype: image/png @@ -94,7 +94,7 @@ spec: url: https://www.ibm.com/docs/en/sva maintainers: - email: isamdev@au1.ibm.com - name: Verify Access Development Team + name: Verify Identity Access Development Team maturity: stable minKubeVersion: 1.17.0 provider: diff --git a/src/config/rbac/kustomization.yaml b/src/config/rbac/kustomization.yaml index 1200b3f..c6ccf29 100644 --- a/src/config/rbac/kustomization.yaml +++ b/src/config/rbac/kustomization.yaml @@ -11,10 +11,21 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml + # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +#- auth_proxy_service.yaml +#- auth_proxy_role.yaml +#- auth_proxy_role_binding.yaml +#- auth_proxy_client_clusterrole.yaml +# +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml diff --git a/src/config/rbac/metrics_auth_role.yaml b/src/config/rbac/metrics_auth_role.yaml new file mode 100644 index 0000000..32d2e4e --- /dev/null +++ b/src/config/rbac/metrics_auth_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/src/config/rbac/metrics_auth_role_binding.yaml b/src/config/rbac/metrics_auth_role_binding.yaml new file mode 100644 index 0000000..e775d67 --- /dev/null +++ b/src/config/rbac/metrics_auth_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/src/config/rbac/metrics_reader_role.yaml b/src/config/rbac/metrics_reader_role.yaml new file mode 100644 index 0000000..51a75db --- /dev/null +++ b/src/config/rbac/metrics_reader_role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/src/config/samples/ibm_v1_ibmsecurityverifyaccess.yaml b/src/config/samples/ibm_v1_ibmsecurityverifyaccess.yaml index deca820..7013969 100644 --- a/src/config/samples/ibm_v1_ibmsecurityverifyaccess.yaml +++ b/src/config/samples/ibm_v1_ibmsecurityverifyaccess.yaml @@ -1,15 +1,15 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: ibm.com/v1 kind: IBMSecurityVerifyAccess metadata: # The name which will be given to the deployment. - name: isva-sample + name: ivia-sample spec: # The name of the image which will be used in the deployment. - image: "icr.io/isva/verify-access-wrp:10.0.7.0" + image: "icr.io/ivia/ivia-wrp:11.0.0.0" # The number of pods which will be started for the deployment. # replicas: 1 @@ -30,7 +30,7 @@ spec: # fixpacks: # - "test.fixpack" - # The name of the Verify Access instance which is being deployed. This value + # The name of the Verify Identity Access instance which is being deployed. This value # is only used for WRP and DSC deployments and is ignored for Runtime # deployments. instance: default @@ -43,17 +43,34 @@ spec: # the pod. More info can be found at: # https://kubernetes.io/docs/concepts/storage/volumes # volumes: - # - name: isva-config + # - name: ivia-config # emptyDir: {} # The list of references to secrets in the same namespace to use for the - # pulling of the Verify Access image. + # pulling of the Verify Identity Access image. # imagePullSecrets: # - name:my-secret # The name of the ServiceAccount to use to run the managed pod. # serviceAccountName: "default" + # Administarators can optionally set additional annotations to add to deployed Verify Identity Access runtime + # containers. This may be used for integration with third party applications such as log aggregation + # or infrastructure monitoring tools. Character restrictions for custom annotations are the same for + # any other Kubernets annotation. + # More info can be found at: + # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set + # customAnnotations: + # - key: my.custom/Annotation + # value: annotationToAdd + + + # The ordered list of secrets used to decrypt configuration snapshot files. This + # property is required if the configuration snapshot file being used was encrypted + # when it was created. + # snapshotSecrets: "secreteToDecryptSnapshotFiles||AnotherSecretToDecryptFiles" + + # Any specific container information which is associated with this # container. The container options include: # env diff --git a/src/go.mod b/src/go.mod index 9a1d66f..b263811 100644 --- a/src/go.mod +++ b/src/go.mod @@ -17,14 +17,20 @@ require ( ) require ( + github.com/antlr4-go/antlr/v4 v4.13.0 // indirect + github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v4.9.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect @@ -33,12 +39,15 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect + github.com/google/cel-go v0.20.1 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect github.com/google/uuid v1.6.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/imdario/mergo v0.3.6 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.7.7 // indirect @@ -50,27 +59,44 @@ require ( github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.55.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/stoewer/go-strcase v1.2.0 // indirect github.com/x448/float16 v0.8.4 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.26.0 // indirect golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.21.0 // indirect golang.org/x/term v0.21.0 // indirect golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.31.0 // indirect + k8s.io/apiserver v0.31.0 // indirect + k8s.io/component-base v0.31.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/src/go.sum b/src/go.sum index 66babdf..6e4d1a2 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,7 +1,16 @@ +github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -13,12 +22,17 @@ github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQo github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -36,6 +50,8 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= +github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -48,8 +64,12 @@ github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2 github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -91,12 +111,18 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= @@ -106,6 +132,22 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -130,6 +172,8 @@ golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -155,6 +199,12 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw= +google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -164,6 +214,7 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= @@ -176,14 +227,20 @@ k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24 k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY= +k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk= k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= +k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= +k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/src/internal/controller/snapshotmgr.go b/src/internal/controller/snapshotmgr.go index 34f8971..4402b52 100644 --- a/src/internal/controller/snapshotmgr.go +++ b/src/internal/controller/snapshotmgr.go @@ -434,9 +434,9 @@ func (mgr *SnapshotMgr) serve(w http.ResponseWriter, r *http.Request) { } } else if strings.HasPrefix(r.URL.Path, "/snapshots/") { basePath := filepath.Base(filepath.Clean(r.URL.Path)) - + hasValidPrefix := (strings.HasPrefix(basePath, "ivia_") || strings.HasPrefix(basePath, "isva_") if r.URL.Path == "/snapshots/"+basePath && - strings.HasPrefix(basePath, "isva_") && + hasValidPrefix && strings.HasSuffix(basePath, ".snapshot") { isValid = true } @@ -788,7 +788,7 @@ func (mgr *SnapshotMgr) generateKey() (cert string, key string, err error) { Bytes: derBytes, }) - cert = out.String() + cert = strings.TrimSuffix(out.String(), "\n") /* * Convert the key. @@ -801,7 +801,12 @@ func (mgr *SnapshotMgr) generateKey() (cert string, key string, err error) { Bytes: x509.MarshalPKCS1PrivateKey(priv), }) - key = out.String() + /* + * For some reason when creating a secret from this value, sometimes the trailing new line + * is removed. . . this breaks the update checking done when re-deploying containers, so lets + * try and fix it here + */ + key = strings.TrimSuffix(out.String(), "\n") return } From 72b7c50d2a5e22fe71523a471c4f65d2123ff041 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 08:59:12 +1000 Subject: [PATCH 06/13] Migrate from kube-rbac-proxy to golang http server; update Operator with rerand from verify access to verify identity access; migrate operator sdk from v3 to v4 --- src/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/go.mod b/src/go.mod index b263811..9bc706f 100644 --- a/src/go.mod +++ b/src/go.mod @@ -2,7 +2,7 @@ module github.com/ibm-security/verify-access-operator -go 1.22.0 +go 1.22 toolchain go1.22.6 From 13ee63b4b3e8d0ad14341e3a107880e442823772 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 09:12:46 +1000 Subject: [PATCH 07/13] find compatible golang version --- src/Makefile | 2 +- src/go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Makefile b/src/Makefile index 12c3ac2..8e5f12e 100644 --- a/src/Makefile +++ b/src/Makefile @@ -128,7 +128,7 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: ## Download controller-gen locally if necessary. - $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.3) + $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.0) KUSTOMIZE = $(shell pwd)/bin/kustomize kustomize: ## Download kustomize locally if necessary. diff --git a/src/go.mod b/src/go.mod index 9bc706f..b263811 100644 --- a/src/go.mod +++ b/src/go.mod @@ -2,7 +2,7 @@ module github.com/ibm-security/verify-access-operator -go 1.22 +go 1.22.0 toolchain go1.22.6 From 8688dcac3022714b19d28e45975cebb54875bae5 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 09:15:35 +1000 Subject: [PATCH 08/13] find compatible golang version --- src/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Makefile b/src/Makefile index 8e5f12e..c3ca587 100644 --- a/src/Makefile +++ b/src/Makefile @@ -128,7 +128,7 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: ## Download controller-gen locally if necessary. - $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.0) + $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.15.0) KUSTOMIZE = $(shell pwd)/bin/kustomize kustomize: ## Download kustomize locally if necessary. From f9459f11ebee3b5ad267e1948c886a129bd5061e Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 09:21:51 +1000 Subject: [PATCH 09/13] find compatible golang version --- .github/workflows/build.yml | 2 +- src/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 825dcce..3b18144 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -38,7 +38,7 @@ jobs: - name: Setup go uses: actions/setup-go@v2 with: - go-version: "1.16" + go-version: "1.22" # Set up the GO cache. - name: Use go cache diff --git a/src/Makefile b/src/Makefile index c3ca587..e39fad1 100644 --- a/src/Makefile +++ b/src/Makefile @@ -128,7 +128,7 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: ## Download controller-gen locally if necessary. - $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.15.0) + $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4) KUSTOMIZE = $(shell pwd)/bin/kustomize kustomize: ## Download kustomize locally if necessary. From 3109fb8ff8038b9990f73dd57cc54d40f531dfd9 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 09:23:26 +1000 Subject: [PATCH 10/13] Migrate from kube-rbac-proxy to golang http server; update Operator with rerand from verify access to verify identity access; migrate operator sdk from v3 to v4 --- src/internal/controller/snapshotmgr.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal/controller/snapshotmgr.go b/src/internal/controller/snapshotmgr.go index 4402b52..6d02379 100644 --- a/src/internal/controller/snapshotmgr.go +++ b/src/internal/controller/snapshotmgr.go @@ -434,7 +434,7 @@ func (mgr *SnapshotMgr) serve(w http.ResponseWriter, r *http.Request) { } } else if strings.HasPrefix(r.URL.Path, "/snapshots/") { basePath := filepath.Base(filepath.Clean(r.URL.Path)) - hasValidPrefix := (strings.HasPrefix(basePath, "ivia_") || strings.HasPrefix(basePath, "isva_") + hasValidPrefix := (strings.HasPrefix(basePath, "ivia_") || strings.HasPrefix(basePath, "isva_")) if r.URL.Path == "/snapshots/"+basePath && hasValidPrefix && strings.HasSuffix(basePath, ".snapshot") { From 710bd8ce07d794bfb47b41b7bd06e02140c4b1f2 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 13:21:24 +1000 Subject: [PATCH 11/13] Migrate from kube-rbac-proxy to golang http server; update Operator with rerand from verify access to verify identity access; migrate operator sdk from v3 to v4 --- ...rity-verify-access-operator.clusterserviceversion.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml b/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml index beb905d..98cab07 100644 --- a/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml +++ b/src/config/manifests/bases/ibm-security-verify-access-operator.clusterserviceversion.yaml @@ -29,12 +29,12 @@ spec: name: '' version: v1 specDescriptors: - - description: The name of the IBM Security Verify Access image to be used. + - description: The name of the IBM Verify Identity Access image to be used. displayName: Image path: image x-descriptors: - 'urn:alm:descriptor:com.tectonic.ui:text' - - description: The name of the Verify Access instance which is being deployed. This value is only used for WRP and DSC deployments and is ignored for Runtime deployments. + - description: The name of the Verify Identity Access instance which is being deployed. This value is only used for WRP and DSC deployments and is ignored for Runtime deployments. displayName: Instance path: instance x-descriptors: @@ -88,9 +88,9 @@ spec: - identity and access - security links: - - name: Verify Access Product Information + - name: Verify Identity Access Product Information url: https://www.ibm.com/au-en/products/verify-access - - name: Verify Access Documentation + - name: Verify Identity Access Documentation url: https://www.ibm.com/docs/en/sva maintainers: - email: isamdev@au1.ibm.com From 067034c54da7e2805652c471d79cd9fe3054d31f Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Thu, 19 Dec 2024 13:23:22 +1000 Subject: [PATCH 12/13] Migrate from kube-rbac-proxy to golang http server; update Operator with rerand from verify access to verify identity access; migrate operator sdk from v3 to v4 --- src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml b/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml index c22bb72..f027dca 100644 --- a/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml +++ b/src/config/crd/bases/ibm.com_ibmsecurityverifyaccesses.yaml @@ -1060,7 +1060,7 @@ spec: The set of custom annotations to add to the container being created. Cannot be updated. items: - description: Custom annotations to add to deployed Verify Access + description: Custom annotations to add to deployed Verify Identity Access runtime container. properties: key: @@ -1138,7 +1138,7 @@ spec: type: array instance: description: |- - Instance is the name of the Verify Access instance which is being + Instance is the name of the Verify Identity Access instance which is being started. This value is only used for WRP and DSC deployments and is ignored for Runtime deployments. Defaults to 'default'. @@ -1194,7 +1194,7 @@ spec: snapshotTLSCacert: default: operator description: |- - SnapshotTLSCacert is a string which defines how the Verify Access runtime containers + SnapshotTLSCacert is a string which defines how the Verify Identity Access runtime containers verify connections to the snapshot management service. This option is the equivalent of setting the CONFIG_SERVICE_TLS_CACERT environment property. The default option for this property is to read the X509 certificate for the Operator's snapshot management service From fecc8c69f7a76bfd2fe97c7d5f77706517965ed7 Mon Sep 17 00:00:00 2001 From: Lachlan Gleeson Date: Fri, 20 Dec 2024 12:06:31 +1000 Subject: [PATCH 13/13] Update copyright notice --- build/Dockerfile | 4 ++-- build/operator_build.py | 2 +- build/root/sbin/bootstrap.sh | 2 +- build/root/sbin/prepare.sh | 2 +- src/.dockerignore | 2 +- src/.gitignore | 2 +- src/Dockerfile | 2 +- src/Makefile | 2 +- src/PROJECT | 2 +- src/api/v1/groupversion_info.go | 2 +- src/api/v1/ibmsecurityverifyaccess_types.go | 6 +++--- src/cmd/main.go | 2 +- src/config/crd/kustomization.yaml | 2 +- src/config/crd/kustomizeconfig.yaml | 2 +- .../patches/cainjection_in_ibmsecurityverifyaccesses.yaml | 2 +- .../crd/patches/webhook_in_ibmsecurityverifyaccesses.yaml | 2 +- src/config/default/kustomization.yaml | 2 +- src/config/default/manager_auth_proxy_patch.yaml | 2 +- src/config/default/manager_config_patch.yaml | 2 +- src/config/manager/controller_manager_config.yaml | 2 +- src/config/manager/kustomization.yaml | 2 +- src/config/manager/manager.yaml | 2 +- src/config/manifests/kustomization.yaml | 2 +- src/config/prometheus/kustomization.yaml | 2 +- src/config/prometheus/monitor.yaml | 2 +- src/config/rbac/auth_proxy_client_clusterrole.yaml | 2 +- src/config/rbac/auth_proxy_role.yaml | 2 +- src/config/rbac/auth_proxy_role_binding.yaml | 2 +- src/config/rbac/auth_proxy_service.yaml | 2 +- src/config/rbac/ibmsecurityverifyaccess_editor_role.yaml | 2 +- src/config/rbac/ibmsecurityverifyaccess_viewer_role.yaml | 2 +- src/config/rbac/kustomization.yaml | 2 +- src/config/rbac/leader_election_role.yaml | 2 +- src/config/rbac/leader_election_role_binding.yaml | 2 +- src/config/rbac/role_binding.yaml | 2 +- src/config/rbac/service_account.yaml | 2 +- src/config/samples/kustomization.yaml | 2 +- src/config/scorecard/bases/config.yaml | 2 +- src/config/scorecard/kustomization.yaml | 2 +- src/config/scorecard/patches/basic.config.yaml | 2 +- src/config/scorecard/patches/olm.config.yaml | 2 +- src/go.mod | 2 +- src/hack/boilerplate.go.txt | 2 +- src/internal/controller/constants.go | 2 +- .../controller/ibmsecurityverifyaccess_controller.go | 2 +- src/internal/controller/snapshotmgr.go | 2 +- src/internal/controller/suite_test.go | 2 +- src/internal/controller/utils.go | 2 +- 48 files changed, 51 insertions(+), 51 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index b99fbaf..ee4c37b 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,5 +1,5 @@ ############################################################################## -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project ############################################################################## # Our build image is based on the RedHat Universal Base Image (ubi) @@ -23,5 +23,5 @@ LABEL maintainer="isamdev@au.ibm.com" \ product="IBM Security Verify Access" \ documentation="https://www.ibm.com/docs/en/sva/latest?topic=web-webseal-overview" \ product_information="https://www.ibm.com/au-en/products/verify-access" \ - copyright="Copyright contributors to the IBM Security Verify Access Operator project" + copyright="Copyright contributors to the IBM Verify Identity Access Operator project" diff --git a/build/operator_build.py b/build/operator_build.py index fbedb5b..46dc806 100755 --- a/build/operator_build.py +++ b/build/operator_build.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 """ -Copyright contributors to the IBM Security Verify Access Operator project +Copyright contributors to the IBM Verify Identity Access Operator project This script is designed to handle the management of the Verify Access operator docker build image and containers. The usage option can be used to provide diff --git a/build/root/sbin/bootstrap.sh b/build/root/sbin/bootstrap.sh index e511e8d..0032fde 100644 --- a/build/root/sbin/bootstrap.sh +++ b/build/root/sbin/bootstrap.sh @@ -1,7 +1,7 @@ #!/bin/sh ############################################################################## -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project ############################################################################## # Set up the build area, symbolically linking files from our workspace. diff --git a/build/root/sbin/prepare.sh b/build/root/sbin/prepare.sh index d988445..0c02916 100644 --- a/build/root/sbin/prepare.sh +++ b/build/root/sbin/prepare.sh @@ -1,7 +1,7 @@ #!/bin/sh ############################################################################## -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project ############################################################################## set -e diff --git a/src/.dockerignore b/src/.dockerignore index cbfcf46..7db8c3b 100644 --- a/src/.dockerignore +++ b/src/.dockerignore @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file # Ignore all files which are not go type diff --git a/src/.gitignore b/src/.gitignore index e1e2e5c..f701944 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # Binaries for programs and plugins *.exe diff --git a/src/Dockerfile b/src/Dockerfile index 3dc7fec..a5a7480 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # Build the manager binary FROM golang:1.22 AS builder diff --git a/src/Makefile b/src/Makefile index e39fad1..439e177 100644 --- a/src/Makefile +++ b/src/Makefile @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # VERSION defines the project version for the bundle. # Update this value when you upgrade the version of your project. diff --git a/src/PROJECT b/src/PROJECT index 137aad0..14de92e 100644 --- a/src/PROJECT +++ b/src/PROJECT @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project domain: ibmcom layout: diff --git a/src/api/v1/groupversion_info.go b/src/api/v1/groupversion_info.go index 9b9134f..1f2630e 100644 --- a/src/api/v1/groupversion_info.go +++ b/src/api/v1/groupversion_info.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ // Package v1 contains API Schema definitions for the ibm v1 API group diff --git a/src/api/v1/ibmsecurityverifyaccess_types.go b/src/api/v1/ibmsecurityverifyaccess_types.go index c398d0a..aa19e58 100644 --- a/src/api/v1/ibmsecurityverifyaccess_types.go +++ b/src/api/v1/ibmsecurityverifyaccess_types.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ package v1 @@ -175,7 +175,7 @@ type IBMSecurityVerifyAccessSpec struct { SnapshotSecrets string `json:"snapshotSecrets"` //+kubebuilder:default=operator - // SnapshotTLSCacert is a string which defines how the Verify Access runtime containers + // SnapshotTLSCacert is a string which defines how the Verify Identity Access runtime containers // verify connections to the snapshot management service. This option is the equivalent // of setting the CONFIG_SERVICE_TLS_CACERT environment property. The default option for this // property is to read the X509 certificate for the Operator's snapshot management service @@ -192,7 +192,7 @@ type IBMSecurityVerifyAccessSpec struct { // +optional Fixpacks []string `json:"fixpacks,omitempty"` - // Instance is the name of the Verify Access instance which is being + // Instance is the name of the Verify Identity Access instance which is being // started. This value is only used for WRP and DSC deployments and is // ignored for Runtime deployments. // Defaults to 'default'. diff --git a/src/cmd/main.go b/src/cmd/main.go index 6c66f3d..33bf84a 100644 --- a/src/cmd/main.go +++ b/src/cmd/main.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ package main diff --git a/src/config/crd/kustomization.yaml b/src/config/crd/kustomization.yaml index fdaaf0c..ed4ba60 100644 --- a/src/config/crd/kustomization.yaml +++ b/src/config/crd/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # This kustomization.yaml is not intended to be run by itself, # since it depends on service name and namespace that are out of this kustomize package. diff --git a/src/config/crd/kustomizeconfig.yaml b/src/config/crd/kustomizeconfig.yaml index 323083d..8b804df 100644 --- a/src/config/crd/kustomizeconfig.yaml +++ b/src/config/crd/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # This file is for teaching kustomize how to substitute name and namespace reference in CRD nameReference: diff --git a/src/config/crd/patches/cainjection_in_ibmsecurityverifyaccesses.yaml b/src/config/crd/patches/cainjection_in_ibmsecurityverifyaccesses.yaml index ae92df2..a84ec89 100644 --- a/src/config/crd/patches/cainjection_in_ibmsecurityverifyaccesses.yaml +++ b/src/config/crd/patches/cainjection_in_ibmsecurityverifyaccesses.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # The following patch adds a directive for certmanager to inject CA into the CRD apiVersion: apiextensions.k8s.io/v1 diff --git a/src/config/crd/patches/webhook_in_ibmsecurityverifyaccesses.yaml b/src/config/crd/patches/webhook_in_ibmsecurityverifyaccesses.yaml index db15876..1442924 100644 --- a/src/config/crd/patches/webhook_in_ibmsecurityverifyaccesses.yaml +++ b/src/config/crd/patches/webhook_in_ibmsecurityverifyaccesses.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # The following patch enables a conversion webhook for the CRD apiVersion: apiextensions.k8s.io/v1 diff --git a/src/config/default/kustomization.yaml b/src/config/default/kustomization.yaml index 75e9ae5..c9c93a0 100644 --- a/src/config/default/kustomization.yaml +++ b/src/config/default/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # Adds namespace to all resources. namespace: verify-access-operator-system diff --git a/src/config/default/manager_auth_proxy_patch.yaml b/src/config/default/manager_auth_proxy_patch.yaml index 4aeaa73..6c13df4 100644 --- a/src/config/default/manager_auth_proxy_patch.yaml +++ b/src/config/default/manager_auth_proxy_patch.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # This patch inject a sidecar container which is a HTTP proxy for the # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. diff --git a/src/config/default/manager_config_patch.yaml b/src/config/default/manager_config_patch.yaml index 49b7985..80f8d89 100644 --- a/src/config/default/manager_config_patch.yaml +++ b/src/config/default/manager_config_patch.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: apps/v1 kind: Deployment diff --git a/src/config/manager/controller_manager_config.yaml b/src/config/manager/controller_manager_config.yaml index 3c6c0ec..515c687 100644 --- a/src/config/manager/controller_manager_config.yaml +++ b/src/config/manager/controller_manager_config.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 kind: ControllerManagerConfig diff --git a/src/config/manager/kustomization.yaml b/src/config/manager/kustomization.yaml index 71866e1..66155b2 100644 --- a/src/config/manager/kustomization.yaml +++ b/src/config/manager/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project resources: - manager.yaml diff --git a/src/config/manager/manager.yaml b/src/config/manager/manager.yaml index 3d9a8e0..269d6f6 100644 --- a/src/config/manager/manager.yaml +++ b/src/config/manager/manager.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: v1 kind: Namespace diff --git a/src/config/manifests/kustomization.yaml b/src/config/manifests/kustomization.yaml index 91a61d1..a0007d1 100644 --- a/src/config/manifests/kustomization.yaml +++ b/src/config/manifests/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # These resources constitute the fully configured set of manifests # used to generate the 'manifests/' directory in a bundle. diff --git a/src/config/prometheus/kustomization.yaml b/src/config/prometheus/kustomization.yaml index b411f83..cc9554e 100644 --- a/src/config/prometheus/kustomization.yaml +++ b/src/config/prometheus/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project resources: - monitor.yaml diff --git a/src/config/prometheus/monitor.yaml b/src/config/prometheus/monitor.yaml index a0f9efd..cf8fcaa 100644 --- a/src/config/prometheus/monitor.yaml +++ b/src/config/prometheus/monitor.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 diff --git a/src/config/rbac/auth_proxy_client_clusterrole.yaml b/src/config/rbac/auth_proxy_client_clusterrole.yaml index 1e69613..a165857 100644 --- a/src/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/src/config/rbac/auth_proxy_client_clusterrole.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/src/config/rbac/auth_proxy_role.yaml b/src/config/rbac/auth_proxy_role.yaml index 5300e4a..3f054c5 100644 --- a/src/config/rbac/auth_proxy_role.yaml +++ b/src/config/rbac/auth_proxy_role.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/src/config/rbac/auth_proxy_role_binding.yaml b/src/config/rbac/auth_proxy_role_binding.yaml index ebff3ff..3d1fac9 100644 --- a/src/config/rbac/auth_proxy_role_binding.yaml +++ b/src/config/rbac/auth_proxy_role_binding.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/src/config/rbac/auth_proxy_service.yaml b/src/config/rbac/auth_proxy_service.yaml index 4b1f5f8..6ece5e6 100644 --- a/src/config/rbac/auth_proxy_service.yaml +++ b/src/config/rbac/auth_proxy_service.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: v1 kind: Service diff --git a/src/config/rbac/ibmsecurityverifyaccess_editor_role.yaml b/src/config/rbac/ibmsecurityverifyaccess_editor_role.yaml index b8884ea..7a3f4a9 100644 --- a/src/config/rbac/ibmsecurityverifyaccess_editor_role.yaml +++ b/src/config/rbac/ibmsecurityverifyaccess_editor_role.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # permissions for end users to edit ibmsecurityverifyaccesses. apiVersion: rbac.authorization.k8s.io/v1 diff --git a/src/config/rbac/ibmsecurityverifyaccess_viewer_role.yaml b/src/config/rbac/ibmsecurityverifyaccess_viewer_role.yaml index eac2f5d..f495fb6 100644 --- a/src/config/rbac/ibmsecurityverifyaccess_viewer_role.yaml +++ b/src/config/rbac/ibmsecurityverifyaccess_viewer_role.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # permissions for end users to view ibmsecurityverifyaccesses. apiVersion: rbac.authorization.k8s.io/v1 diff --git a/src/config/rbac/kustomization.yaml b/src/config/rbac/kustomization.yaml index c6ccf29..3449229 100644 --- a/src/config/rbac/kustomization.yaml +++ b/src/config/rbac/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project resources: # All RBAC will be applied under this service account in diff --git a/src/config/rbac/leader_election_role.yaml b/src/config/rbac/leader_election_role.yaml index 3cce90d..b188572 100644 --- a/src/config/rbac/leader_election_role.yaml +++ b/src/config/rbac/leader_election_role.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project # permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 diff --git a/src/config/rbac/leader_election_role_binding.yaml b/src/config/rbac/leader_election_role_binding.yaml index 47814fc..bd9adbb 100644 --- a/src/config/rbac/leader_election_role_binding.yaml +++ b/src/config/rbac/leader_election_role_binding.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/src/config/rbac/role_binding.yaml b/src/config/rbac/role_binding.yaml index 0dea267..ca482ef 100644 --- a/src/config/rbac/role_binding.yaml +++ b/src/config/rbac/role_binding.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/src/config/rbac/service_account.yaml b/src/config/rbac/service_account.yaml index e9df081..01ab005 100644 --- a/src/config/rbac/service_account.yaml +++ b/src/config/rbac/service_account.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: v1 kind: ServiceAccount diff --git a/src/config/samples/kustomization.yaml b/src/config/samples/kustomization.yaml index 4cf1c46..2349bea 100644 --- a/src/config/samples/kustomization.yaml +++ b/src/config/samples/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project ## Append samples you want in your CSV to this file as resources ## resources: diff --git a/src/config/scorecard/bases/config.yaml b/src/config/scorecard/bases/config.yaml index 055d4fd..0a8a394 100644 --- a/src/config/scorecard/bases/config.yaml +++ b/src/config/scorecard/bases/config.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project apiVersion: scorecard.operatorframework.io/v1alpha3 kind: Configuration diff --git a/src/config/scorecard/kustomization.yaml b/src/config/scorecard/kustomization.yaml index cc91823..2b520c5 100644 --- a/src/config/scorecard/kustomization.yaml +++ b/src/config/scorecard/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project resources: - bases/config.yaml diff --git a/src/config/scorecard/patches/basic.config.yaml b/src/config/scorecard/patches/basic.config.yaml index c5e448a..82d3c36 100644 --- a/src/config/scorecard/patches/basic.config.yaml +++ b/src/config/scorecard/patches/basic.config.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project - op: add path: /stages/0/tests/- diff --git a/src/config/scorecard/patches/olm.config.yaml b/src/config/scorecard/patches/olm.config.yaml index 9723822..6de94b3 100644 --- a/src/config/scorecard/patches/olm.config.yaml +++ b/src/config/scorecard/patches/olm.config.yaml @@ -1,4 +1,4 @@ -# Copyright contributors to the IBM Security Verify Access Operator project +# Copyright contributors to the IBM Verify Identity Access Operator project - op: add path: /stages/0/tests/- diff --git a/src/go.mod b/src/go.mod index b263811..8bb5c8b 100644 --- a/src/go.mod +++ b/src/go.mod @@ -1,4 +1,4 @@ -// Copyright contributors to the IBM Security Verify Access Operator project +// Copyright contributors to the IBM Verify Identity Access Operator project module github.com/ibm-security/verify-access-operator diff --git a/src/hack/boilerplate.go.txt b/src/hack/boilerplate.go.txt index 7ecace1..ae3320c 100644 --- a/src/hack/boilerplate.go.txt +++ b/src/hack/boilerplate.go.txt @@ -1,4 +1,4 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ diff --git a/src/internal/controller/constants.go b/src/internal/controller/constants.go index 87f0a10..214602f 100644 --- a/src/internal/controller/constants.go +++ b/src/internal/controller/constants.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ package controllers diff --git a/src/internal/controller/ibmsecurityverifyaccess_controller.go b/src/internal/controller/ibmsecurityverifyaccess_controller.go index ed833f2..08dc038 100644 --- a/src/internal/controller/ibmsecurityverifyaccess_controller.go +++ b/src/internal/controller/ibmsecurityverifyaccess_controller.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ package controllers diff --git a/src/internal/controller/snapshotmgr.go b/src/internal/controller/snapshotmgr.go index 6d02379..0927668 100644 --- a/src/internal/controller/snapshotmgr.go +++ b/src/internal/controller/snapshotmgr.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ package controllers diff --git a/src/internal/controller/suite_test.go b/src/internal/controller/suite_test.go index 1422c6b..febbf8e 100644 --- a/src/internal/controller/suite_test.go +++ b/src/internal/controller/suite_test.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ package controllers diff --git a/src/internal/controller/utils.go b/src/internal/controller/utils.go index 824cea6..29d3235 100644 --- a/src/internal/controller/utils.go +++ b/src/internal/controller/utils.go @@ -1,5 +1,5 @@ /* - * Copyright contributors to the IBM Security Verify Access Operator project + * Copyright contributors to the IBM Verify Identity Access Operator project */ package controllers