diff --git a/features.md b/features.md
index af1a1aafd5b..ac6383dd70c 100644
--- a/features.md
+++ b/features.md
@@ -9,6 +9,7 @@
| ClusterAPIComputeInstall| | | Enabled | Enabled | | | | |
| ClusterAPIControlPlaneInstall| | | Enabled | Enabled | | | | |
| ClusterUpdatePreflight| | | Enabled | Enabled | | | | |
+| DNSTemplatePlugin| | | Enabled | Enabled | | | | |
| Example2| | | Enabled | Enabled | | | | |
| ExternalOIDCExternalClaimsSourcing| | | Enabled | Enabled | | | | |
| ExternalSnapshotMetadata| | | Enabled | Enabled | | | | |
diff --git a/features/features.go b/features/features.go
index 0fcf9b395a2..e97af483ee3 100644
--- a/features/features.go
+++ b/features/features.go
@@ -257,6 +257,14 @@ var (
enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
mustRegister()
+ FeatureGateDNSTemplatePlugin = newFeatureGate("DNSTemplatePlugin").
+ reportProblemsToJiraComponent("dns").
+ contactPerson("grzpiotrowski").
+ productScope(ocpSpecific).
+ enhancementPR("https://github.com/openshift/enhancements/pull/1936").
+ enable(inDevPreviewNoUpgrade()).
+ mustRegister()
+
FeatureGateImageModeStatusReporting = newFeatureGate("ImageModeStatusReporting").
reportProblemsToJiraComponent("MachineConfigOperator").
contactPerson("ijanssen").
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index de45907e780..1a476487fe1 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -1044,6 +1044,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"github.com/openshift/api/operator/v1.DNSOverTLSConfig": schema_openshift_api_operator_v1_DNSOverTLSConfig(ref),
"github.com/openshift/api/operator/v1.DNSSpec": schema_openshift_api_operator_v1_DNSSpec(ref),
"github.com/openshift/api/operator/v1.DNSStatus": schema_openshift_api_operator_v1_DNSStatus(ref),
+ "github.com/openshift/api/operator/v1.DNSTemplate": schema_openshift_api_operator_v1_DNSTemplate(ref),
+ "github.com/openshift/api/operator/v1.DNSTemplateAction": schema_openshift_api_operator_v1_DNSTemplateAction(ref),
"github.com/openshift/api/operator/v1.DNSTransportConfig": schema_openshift_api_operator_v1_DNSTransportConfig(ref),
"github.com/openshift/api/operator/v1.DefaultNetworkDefinition": schema_openshift_api_operator_v1_DefaultNetworkDefinition(ref),
"github.com/openshift/api/operator/v1.DeveloperConsoleCatalogCategory": schema_openshift_api_operator_v1_DeveloperConsoleCatalogCategory(ref),
@@ -53121,6 +53123,11 @@ func schema_openshift_api_operator_v1_DNSNodePlacement(ref common.ReferenceCallb
},
},
"tolerations": {
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-list-type": "atomic",
+ },
+ },
SchemaProps: spec.SchemaProps{
Description: "tolerations is a list of tolerations applied to DNS pods.\n\nIf empty, the DNS operator sets a toleration for the \"node-role.kubernetes.io/master\" taint. This default is subject to change. Specifying tolerations without including a toleration for the \"node-role.kubernetes.io/master\" taint may be risky as it could lead to an outage if all worker nodes become unavailable.\n\nNote that the daemon controller adds some tolerations as well. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/",
Type: []string{"array"},
@@ -53181,6 +53188,14 @@ func schema_openshift_api_operator_v1_DNSSpec(ref common.ReferenceCallback) comm
Type: []string{"object"},
Properties: map[string]spec.Schema{
"servers": {
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-list-map-keys": []interface{}{
+ "name",
+ },
+ "x-kubernetes-list-type": "map",
+ },
+ },
SchemaProps: spec.SchemaProps{
Description: "servers is a list of DNS resolvers that provide name query delegation for one or more subdomains outside the scope of the cluster domain. If servers consists of more than one Server, longest suffix match will be used to determine the Server.\n\nFor example, if there are two Servers, one for \"foo.com\" and another for \"a.foo.com\", and the name query is for \"www.a.foo.com\", it will be routed to the Server with Zone \"a.foo.com\".\n\nIf this field is nil, no servers are created.",
Type: []string{"array"},
@@ -53236,11 +53251,18 @@ func schema_openshift_api_operator_v1_DNSSpec(ref common.ReferenceCallback) comm
Ref: ref("github.com/openshift/api/operator/v1.DNSCache"),
},
},
+ "template": {
+ SchemaProps: spec.SchemaProps{
+ Description: "template is an optional configuration for custom DNS query handling via the CoreDNS template plugin. The template defines how to handle queries matching specific zones and query types.\n\nThe template applies to all domains (custom domains from spec.servers and the cluster domain) to ensure consistent DNS resolution across all paths.\n\nWhen this field is not set, no template plugin configuration is added to CoreDNS.",
+ Default: map[string]interface{}{},
+ Ref: ref("github.com/openshift/api/operator/v1.DNSTemplate"),
+ },
+ },
},
},
},
Dependencies: []string{
- "github.com/openshift/api/operator/v1.DNSCache", "github.com/openshift/api/operator/v1.DNSNodePlacement", "github.com/openshift/api/operator/v1.Server", "github.com/openshift/api/operator/v1.UpstreamResolvers"},
+ "github.com/openshift/api/operator/v1.DNSCache", "github.com/openshift/api/operator/v1.DNSNodePlacement", "github.com/openshift/api/operator/v1.DNSTemplate", "github.com/openshift/api/operator/v1.Server", "github.com/openshift/api/operator/v1.UpstreamResolvers"},
}
}
@@ -53270,6 +53292,10 @@ func schema_openshift_api_operator_v1_DNSStatus(ref common.ReferenceCallback) co
"conditions": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
+ "x-kubernetes-list-map-keys": []interface{}{
+ "type",
+ },
+ "x-kubernetes-list-type": "map",
"x-kubernetes-patch-merge-key": "type",
"x-kubernetes-patch-strategy": "merge",
},
@@ -53296,6 +53322,84 @@ func schema_openshift_api_operator_v1_DNSStatus(ref common.ReferenceCallback) co
}
}
+func schema_openshift_api_operator_v1_DNSTemplate(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "DNSTemplate defines a template for custom DNS query handling via the CoreDNS template plugin. DNSTemplate enables filtering or custom responses for DNS queries matching specific zones and query types.",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "zones": {
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-list-type": "set",
+ },
+ },
+ SchemaProps: spec.SchemaProps{
+ Description: "zones specifies the DNS zones this template applies to. Each zone must be a valid DNS name as defined in RFC 1123. The special zone \".\" matches all domains (catch-all). Multiple zones can be specified to apply the same template actions to multiple domains. At least 1 and at most 15 zones may be specified.\n\nNote: root zone (\".\") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.\n\nExamples: - [\".\"] matches all domains (catch-all for global AAAA filtering) - [\"example.com\"] matches only example.com and its subdomains - [\"example.com\", \"test.com\"] matches both domains and their subdomains",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ },
+ },
+ "queryType": {
+ SchemaProps: spec.SchemaProps{
+ Description: "queryType specifies the DNS query type to match. Valid values are \"AAAA\".",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "queryClass": {
+ SchemaProps: spec.SchemaProps{
+ Description: "queryClass specifies the DNS query class to match. Valid values are \"IN\".",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "action": {
+ SchemaProps: spec.SchemaProps{
+ Description: "action defines how to handle queries matching this template's zones and query type. The action builds a single DNS response by specifying the response code and may be extended by additional fields in the future.",
+ Default: map[string]interface{}{},
+ Ref: ref("github.com/openshift/api/operator/v1.DNSTemplateAction"),
+ },
+ },
+ },
+ Required: []string{"zones", "queryType", "queryClass", "action"},
+ },
+ },
+ Dependencies: []string{
+ "github.com/openshift/api/operator/v1.DNSTemplateAction"},
+ }
+}
+
+func schema_openshift_api_operator_v1_DNSTemplateAction(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "DNSTemplateAction defines how to construct a DNS response for queries matching the template.",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "rcode": {
+ SchemaProps: spec.SchemaProps{
+ Description: "rcode is the DNS response code to return. Valid values are \"NOERROR\".\n\nThe template returns a response with no answer records. For AAAA filtering, this means IPv6 address queries return successfully but with no IPv6 addresses, causing clients to fall back to IPv4 (A record) queries.",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ Required: []string{"rcode"},
+ },
+ },
+ }
+}
+
func schema_openshift_api_operator_v1_DNSTransportConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
@@ -54092,6 +54196,11 @@ func schema_openshift_api_operator_v1_ForwardPlugin(ref common.ReferenceCallback
Type: []string{"object"},
Properties: map[string]spec.Schema{
"upstreams": {
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-list-type": "set",
+ },
+ },
SchemaProps: spec.SchemaProps{
Description: "upstreams is a list of resolvers to forward name queries for subdomains of Zones. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy. Each upstream is represented by an IP address or IP:port if the upstream listens on a port other than 53.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin.",
Type: []string{"array"},
@@ -60773,6 +60882,11 @@ func schema_openshift_api_operator_v1_Server(ref common.ReferenceCallback) commo
},
},
"zones": {
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-list-type": "set",
+ },
+ },
SchemaProps: spec.SchemaProps{
Description: "zones is required and specifies the subdomains that Server is authoritative for. Zones must conform to the rfc1123 definition of a subdomain. Specifying the cluster domain (i.e., \"cluster.local\") is invalid.",
Type: []string{"array"},
@@ -62353,6 +62467,11 @@ func schema_openshift_api_operator_v1_UpstreamResolvers(ref common.ReferenceCall
Type: []string{"object"},
Properties: map[string]spec.Schema{
"upstreams": {
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-list-type": "atomic",
+ },
+ },
SchemaProps: spec.SchemaProps{
Description: "upstreams is a list of resolvers to forward name queries for the \".\" domain. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin. If no Upstreams are specified, /etc/resolv.conf is used by default",
Type: []string{"array"},
diff --git a/openapi/openapi.json b/openapi/openapi.json
index 6a6bc8edbc0..8f1a5b0530e 100644
--- a/openapi/openapi.json
+++ b/openapi/openapi.json
@@ -15949,6 +15949,10 @@
"default": {},
"$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerServingCerts"
},
+ "tlsAdherence": {
+ "description": "tlsAdherence controls if components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyAdheringComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyAdheringComponentsOnly\", components that already honor the cluster-wide TLS profile continue to do so. Components that do not already honor it continue to use their individual TLS configurations.\n\nWhen set to \"StrictAllComponents\", all components must honor the configured TLS profile unless they have a component-specific TLS configuration that overrides it. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nNote: Some components such as Kubelet and IngressController have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively. When these component-specific TLS configurations are set, they take precedence over the cluster-wide tlsSecurityProfile. When not set, these components fall back to the cluster-wide default.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nThis field is optional. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is LegacyAdheringComponentsOnly.\n\nOnce set, this field may be changed to a different value, but may not be removed.",
+ "type": "string"
+ },
"tlsSecurityProfile": {
"description": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.",
"$ref": "#/definitions/com.github.openshift.api.config.v1.TLSSecurityProfile"
@@ -24078,109 +24082,6 @@
}
}
},
- "com.github.openshift.api.config.v1alpha1.ClusterImagePolicy": {
- "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "spec"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
- },
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- "type": "string"
- },
- "metadata": {
- "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
- "default": {},
- "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "spec": {
- "description": "spec contains the configuration for the cluster image policy.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec"
- },
- "status": {
- "description": "status contains the observed state of the resource.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ClusterImagePolicyList": {
- "description": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "metadata",
- "items"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
- },
- "items": {
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicy"
- }
- },
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- "type": "string"
- },
- "metadata": {
- "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
- "default": {},
- "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec": {
- "description": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.",
- "type": "object",
- "required": [
- "scopes",
- "policy"
- ],
- "properties": {
- "policy": {
- "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy"
- },
- "scopes": {
- "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
- "type": "array",
- "items": {
- "type": "string",
- "default": ""
- },
- "x-kubernetes-list-type": "set"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus": {
- "type": "object",
- "properties": {
- "conditions": {
- "description": "conditions provide details on the status of this API Resource.",
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "x-kubernetes-list-map-keys": [
- "type"
- ],
- "x-kubernetes-list-type": "map"
- }
- }
- },
"com.github.openshift.api.config.v1alpha1.ClusterMonitoring": {
"description": "ClusterMonitoring is the Custom Resource object which holds the current status of Cluster Monitoring Operator. CMO is a central component of the monitoring stack.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. ClusterMonitoring is the Schema for the Cluster Monitoring Operators API",
"type": "object",
@@ -24443,198 +24344,6 @@
}
}
},
- "com.github.openshift.api.config.v1alpha1.ImagePolicy": {
- "description": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "spec"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
- },
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- "type": "string"
- },
- "metadata": {
- "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
- "default": {},
- "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "spec": {
- "description": "spec holds user settable values for configuration",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicySpec"
- },
- "status": {
- "description": "status contains the observed state of the resource.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyStatus"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust": {
- "description": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.",
- "type": "object",
- "required": [
- "fulcioCAData",
- "rekorKeyData",
- "fulcioSubject"
- ],
- "properties": {
- "fulcioCAData": {
- "description": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.",
- "type": "string",
- "format": "byte"
- },
- "fulcioSubject": {
- "description": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject"
- },
- "rekorKeyData": {
- "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
- "type": "string",
- "format": "byte"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ImagePolicyList": {
- "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "metadata",
- "items"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
- },
- "items": {
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicy"
- }
- },
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- "type": "string"
- },
- "metadata": {
- "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
- "default": {},
- "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust": {
- "description": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
- "type": "object",
- "required": [
- "caRootsData",
- "pkiCertificateSubject"
- ],
- "properties": {
- "caIntermediatesData": {
- "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.",
- "type": "string",
- "format": "byte"
- },
- "caRootsData": {
- "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.",
- "type": "string",
- "format": "byte"
- },
- "pkiCertificateSubject": {
- "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKICertificateSubject"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust": {
- "description": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.",
- "type": "object",
- "required": [
- "keyData"
- ],
- "properties": {
- "keyData": {
- "description": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.",
- "type": "string",
- "format": "byte"
- },
- "rekorKeyData": {
- "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
- "type": "string",
- "format": "byte"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ImagePolicySpec": {
- "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.",
- "type": "object",
- "required": [
- "scopes",
- "policy"
- ],
- "properties": {
- "policy": {
- "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy"
- },
- "scopes": {
- "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
- "type": "array",
- "items": {
- "type": "string",
- "default": ""
- },
- "x-kubernetes-list-type": "set"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ImagePolicyStatus": {
- "type": "object",
- "properties": {
- "conditions": {
- "description": "conditions provide details on the status of this API Resource.",
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "x-kubernetes-list-map-keys": [
- "type"
- ],
- "x-kubernetes-list-type": "map"
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy": {
- "description": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.",
- "type": "object",
- "required": [
- "rootOfTrust"
- ],
- "properties": {
- "rootOfTrust": {
- "description": "rootOfTrust specifies the root of trust for the policy.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust"
- },
- "signedIdentity": {
- "description": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyIdentity"
- }
- }
- },
"com.github.openshift.api.config.v1alpha1.InsightsDataGather": {
"description": "InsightsDataGather provides data gather configuration options for the the Insights Operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
"type": "object",
@@ -25049,20 +24758,6 @@
}
]
},
- "com.github.openshift.api.config.v1alpha1.PKICertificateSubject": {
- "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
- "type": "object",
- "properties": {
- "email": {
- "description": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.",
- "type": "string"
- },
- "hostname": {
- "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.",
- "type": "string"
- }
- }
- },
"com.github.openshift.api.config.v1alpha1.PKIList": {
"description": "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
"type": "object",
@@ -25168,125 +24863,6 @@
}
}
},
- "com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject": {
- "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.",
- "type": "object",
- "required": [
- "oidcIssuer",
- "signedEmail"
- ],
- "properties": {
- "oidcIssuer": {
- "description": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"",
- "type": "string",
- "default": ""
- },
- "signedEmail": {
- "description": "signedEmail holds the email address the the Fulcio certificate is issued for. Example: \"expected-signing-user@example.com\"",
- "type": "string",
- "default": ""
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.PolicyIdentity": {
- "description": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".",
- "type": "object",
- "required": [
- "matchPolicy"
- ],
- "properties": {
- "exactRepository": {
- "description": "exactRepository is required if matchPolicy is set to \"ExactRepository\".",
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository"
- },
- "matchPolicy": {
- "description": "matchPolicy sets the type of matching to be used. Valid values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. \"MatchRepoDigestOrExact\" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"repository\". \"RemapIdentity\" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.",
- "type": "string",
- "default": ""
- },
- "remapIdentity": {
- "description": "remapIdentity is required if matchPolicy is set to \"RemapIdentity\".",
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity"
- }
- },
- "x-kubernetes-unions": [
- {
- "discriminator": "matchPolicy",
- "fields-to-discriminateBy": {
- "exactRepository": "PolicyMatchExactRepository",
- "remapIdentity": "PolicyMatchRemapIdentity"
- }
- }
- ]
- },
- "com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository": {
- "type": "object",
- "required": [
- "repository"
- ],
- "properties": {
- "repository": {
- "description": "repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox",
- "type": "string",
- "default": ""
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity": {
- "type": "object",
- "required": [
- "prefix",
- "signedPrefix"
- ],
- "properties": {
- "prefix": {
- "description": "prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.",
- "type": "string",
- "default": ""
- },
- "signedPrefix": {
- "description": "signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.",
- "type": "string",
- "default": ""
- }
- }
- },
- "com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust": {
- "description": "PolicyRootOfTrust defines the root of trust based on the selected policyType.",
- "type": "object",
- "required": [
- "policyType"
- ],
- "properties": {
- "fulcioCAWithRekor": {
- "description": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor",
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust"
- },
- "pki": {
- "description": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.",
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust"
- },
- "policyType": {
- "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.",
- "type": "string",
- "default": ""
- },
- "publicKey": {
- "description": "publicKey defines the root of trust based on a sigstore public key.",
- "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust"
- }
- },
- "x-kubernetes-unions": [
- {
- "discriminator": "policyType",
- "fields-to-discriminateBy": {
- "fulcioCAWithRekor": "FulcioCAWithRekor",
- "pki": "PKI",
- "publicKey": "PublicKey"
- }
- }
- ]
- },
"com.github.openshift.api.config.v1alpha1.PrometheusConfig": {
"description": "PrometheusConfig provides configuration options for the Prometheus instance. Use this configuration to control Prometheus deployment, pod scheduling, resource allocation, retention policies, and external integrations.",
"type": "object",
@@ -38587,178 +38163,38 @@
"default": {},
"$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io"
},
- "x-kubernetes-list-map-keys": [
- "type"
- ],
- "x-kubernetes-list-type": "map"
- },
- "image": {
- "description": "image is an OCP release image referenced by digest. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters. The field is optional, and it will be provided after a release will be successfully installed.",
- "type": "string"
- },
- "name": {
- "description": "name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long. The expected name format is ocp-release-bundle--.",
- "type": "string"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageList": {
- "description": "InternalReleaseImageList is a list of InternalReleaseImage resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "metadata",
- "items"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
- },
- "items": {
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImage"
- }
- },
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- "type": "string"
- },
- "metadata": {
- "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
- "default": {},
- "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageRef": {
- "description": "InternalReleaseImageRef is used to provide a simple reference for a release bundle. Currently it contains only the name field.",
- "type": "object",
- "required": [
- "name"
- ],
- "properties": {
- "name": {
- "description": "name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long. The expected name format is ocp-release-bundle--.",
- "type": "string"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageSpec": {
- "description": "InternalReleaseImageSpec defines the desired state of a InternalReleaseImage.",
- "type": "object",
- "required": [
- "releases"
- ],
- "properties": {
- "releases": {
- "description": "releases is a list of release bundle identifiers that the user wants to add/remove to/from the control plane nodes. Entries must be unique, keyed on the name field. releases must contain at least one entry and must not exceed 16 entries.",
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageRef"
- },
- "x-kubernetes-list-map-keys": [
- "name"
- ],
- "x-kubernetes-list-type": "map"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageStatus": {
- "description": "InternalReleaseImageStatus describes the current state of a InternalReleaseImage.",
- "type": "object",
- "required": [
- "releases"
- ],
- "properties": {
- "conditions": {
- "description": "conditions represent the observations of the InternalReleaseImage controller current state. Valid types are: Degraded. If Degraded is true, that means something has gone wrong in the controller.",
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "x-kubernetes-list-map-keys": [
- "type"
- ],
- "x-kubernetes-list-type": "map"
- },
- "releases": {
- "description": "releases is a list of the release bundles currently owned and managed by the cluster. A release bundle content could be safely pulled only when its Conditions field contains at least an Available entry set to \"True\" and Degraded to \"False\". Entries must be unique, keyed on the name field. releases must contain at least one entry and must not exceed 32 entries.",
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageBundleStatus"
- },
- "x-kubernetes-list-map-keys": [
- "name"
- ],
- "x-kubernetes-list-type": "map"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference": {
- "description": "MCOObjectReference holds information about an object the MCO either owns or modifies in some way",
- "type": "object",
- "required": [
- "name"
- ],
- "properties": {
- "name": {
- "description": "name is the name of the object being referenced. For example, this can represent a machine config pool or node name. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.",
- "type": "string",
- "default": ""
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNode": {
- "description": "MachineConfigNode describes the health of the Machines on the system Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "spec"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
+ "x-kubernetes-list-map-keys": [
+ "type"
+ ],
+ "x-kubernetes-list-type": "map"
},
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+ "image": {
+ "description": "image is an OCP release image referenced by digest. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters. The field is optional, and it will be provided after a release will be successfully installed.",
"type": "string"
},
- "metadata": {
- "description": "metadata is the standard object metadata.",
- "default": {},
- "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "spec": {
- "description": "spec describes the configuration of the machine config node.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpec"
- },
- "status": {
- "description": "status describes the last observed state of this machine config node.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatus"
+ "name": {
+ "description": "name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long. The expected name format is ocp-release-bundle--.",
+ "type": "string"
}
}
},
- "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeList": {
- "description": "MachineConfigNodeList describes all of the MachinesStates on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+ "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageList": {
+ "description": "InternalReleaseImageList is a list of InternalReleaseImage resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
"type": "object",
+ "required": [
+ "metadata",
+ "items"
+ ],
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"items": {
- "description": "items contains a collection of MachineConfigNode resources.",
"type": "array",
"items": {
"default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNode"
+ "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImage"
}
},
"kind": {
@@ -38766,61 +38202,55 @@
"type": "string"
},
"metadata": {
- "description": "metadata is the standard list metadata.",
+ "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
"default": {},
"$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
}
}
},
- "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpec": {
- "description": "MachineConfigNodeSpec describes the MachineConfigNode we are managing.",
+ "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageRef": {
+ "description": "InternalReleaseImageRef is used to provide a simple reference for a release bundle. Currently it contains only the name field.",
"type": "object",
"required": [
- "node",
- "pool",
- "configVersion"
+ "name"
],
"properties": {
- "configVersion": {
- "description": "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpecMachineConfigVersion"
- },
- "node": {
- "description": "node contains a reference to the node for this machine config node.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference"
- },
- "pool": {
- "description": "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference"
+ "name": {
+ "description": "name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long. The expected name format is ocp-release-bundle--.",
+ "type": "string"
}
}
},
- "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpecMachineConfigVersion": {
- "description": "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.",
+ "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageSpec": {
+ "description": "InternalReleaseImageSpec defines the desired state of a InternalReleaseImage.",
"type": "object",
"required": [
- "desired"
+ "releases"
],
"properties": {
- "desired": {
- "description": "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.",
- "type": "string",
- "default": ""
+ "releases": {
+ "description": "releases is a list of release bundle identifiers that the user wants to add/remove to/from the control plane nodes. Entries must be unique, keyed on the name field. releases must contain at least one entry and must not exceed 16 entries.",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageRef"
+ },
+ "x-kubernetes-list-map-keys": [
+ "name"
+ ],
+ "x-kubernetes-list-type": "map"
}
}
},
- "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatus": {
- "description": "MachineConfigNodeStatus holds the reported information on a particular machine config node.",
+ "com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageStatus": {
+ "description": "InternalReleaseImageStatus describes the current state of a InternalReleaseImage.",
"type": "object",
"required": [
- "configVersion"
+ "releases"
],
"properties": {
"conditions": {
- "description": "conditions represent the observations of a machine config node's current state.",
+ "description": "conditions represent the observations of the InternalReleaseImage controller current state. Valid types are: Degraded. If Degraded is true, that means something has gone wrong in the controller.",
"type": "array",
"items": {
"default": {},
@@ -38831,22 +38261,12 @@
],
"x-kubernetes-list-type": "map"
},
- "configVersion": {
- "description": "configVersion describes the current and desired machine config version for this node.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusMachineConfigVersion"
- },
- "observedGeneration": {
- "description": "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.",
- "type": "integer",
- "format": "int64"
- },
- "pinnedImageSets": {
- "description": "pinnedImageSets describes the current and desired pinned image sets for this node.",
+ "releases": {
+ "description": "releases is a list of the release bundles currently owned and managed by the cluster. A release bundle content could be safely pulled only when its Conditions field contains at least an Available entry set to \"True\" and Degraded to \"False\". Entries must be unique, keyed on the name field. releases must contain at least one entry and must not exceed 32 entries.",
"type": "array",
"items": {
"default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusPinnedImageSet"
+ "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.InternalReleaseImageBundleStatus"
},
"x-kubernetes-list-map-keys": [
"name"
@@ -38855,58 +38275,6 @@
}
}
},
- "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusMachineConfigVersion": {
- "description": "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.",
- "type": "object",
- "required": [
- "desired"
- ],
- "properties": {
- "current": {
- "description": "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.",
- "type": "string",
- "default": ""
- },
- "desired": {
- "description": "desired is the MachineConfig the node wants to upgrade to. This value gets set in the machine config node status once the machine config has been validated against the current machine config. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.",
- "type": "string",
- "default": ""
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusPinnedImageSet": {
- "description": "MachineConfigNodeStatusPinnedImageSet holds information about the current, desired, and failed pinned image sets for the observed machine config node.",
- "type": "object",
- "required": [
- "name"
- ],
- "properties": {
- "currentGeneration": {
- "description": "currentGeneration is the generation of the pinned image set that has most recently been successfully pulled and pinned on this node.",
- "type": "integer",
- "format": "int32"
- },
- "desiredGeneration": {
- "description": "desiredGeneration is the generation of the pinned image set that is targeted to be pulled and pinned on this node.",
- "type": "integer",
- "format": "int32"
- },
- "lastFailedGeneration": {
- "description": "lastFailedGeneration is the generation of the most recent pinned image set that failed to be pulled and pinned on this node.",
- "type": "integer",
- "format": "int32"
- },
- "lastFailedGenerationError": {
- "description": "lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. The error is an empty string if the image pull and pin is successful.",
- "type": "string"
- },
- "name": {
- "description": "name is the name of the pinned image set. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.",
- "type": "string",
- "default": ""
- }
- }
- },
"com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStream": {
"description": "OSImageStream describes a set of streams and associated images available for the MachineConfigPools to be used as base OS images.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
"type": "object",
@@ -38995,7 +38363,7 @@
"type": "object",
"properties": {
"defaultStream": {
- "description": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nWhen status.availableStreams has been populated by the operator, updating this field requires that the new value references the name of one of the streams in status.availableStreams. Status-only updates by the operator are not subject to this constraint, allowing the operator to update availableStreams independently of this field. During initial creation, before the operator has populated status, any valid value is accepted.\n\nWhen omitted, the operator determines the default stream automatically.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').",
+ "description": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nWhen status.availableStreams has been populated by the operator, updating this field requires that the new value references the name of one of the streams in status.availableStreams. Status-only updates by the operator are not subject to this constraint, allowing the operator to update availableStreams independently of this field. During initial creation, before the operator has populated status, any valid value is accepted.\n\nWhen omitted, the operator determines the default stream automatically. Once set, this field cannot be removed.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').",
"type": "string"
}
}
@@ -39026,118 +38394,6 @@
}
}
},
- "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef": {
- "type": "object",
- "required": [
- "name"
- ],
- "properties": {
- "name": {
- "description": "name is an OCI Image referenced by digest. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.",
- "type": "string"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSet": {
- "description": "PinnedImageSet describes a set of images that should be pinned by CRI-O and pulled to the nodes which are members of the declared MachineConfigPools.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "spec"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
- },
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- "type": "string"
- },
- "metadata": {
- "default": {},
- "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "spec": {
- "description": "spec describes the configuration of this pinned image set.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetSpec"
- },
- "status": {
- "description": "status describes the last observed state of this pinned image set.",
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetStatus"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetList": {
- "description": "PinnedImageSetList is a list of PinnedImageSet resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
- "type": "object",
- "required": [
- "metadata",
- "items"
- ],
- "properties": {
- "apiVersion": {
- "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
- "type": "string"
- },
- "items": {
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSet"
- }
- },
- "kind": {
- "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
- "type": "string"
- },
- "metadata": {
- "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
- "default": {},
- "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetSpec": {
- "description": "PinnedImageSetSpec defines the desired state of a PinnedImageSet.",
- "type": "object",
- "required": [
- "pinnedImages"
- ],
- "properties": {
- "pinnedImages": {
- "description": "pinnedImages is a list of OCI Image referenced by digest that should be pinned and pre-loaded by the nodes of a MachineConfigPool. Translates into a new file inside the /etc/crio/crio.conf.d directory with content similar to this:\n\n pinned_images = [\n \"quay.io/openshift-release-dev/ocp-release@sha256:...\",\n \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...\",\n \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...\",\n ...\n ]\n\nThese image references should all be by digest, tags aren't allowed.",
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef"
- },
- "x-kubernetes-list-map-keys": [
- "name"
- ],
- "x-kubernetes-list-type": "map"
- }
- }
- },
- "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetStatus": {
- "description": "PinnedImageSetStatus describes the current state of a PinnedImageSet.",
- "type": "object",
- "properties": {
- "conditions": {
- "description": "conditions represent the observations of a pinned image set's current state.",
- "type": "array",
- "items": {
- "default": {},
- "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io"
- },
- "x-kubernetes-list-map-keys": [
- "type"
- ],
- "x-kubernetes-list-type": "map"
- }
- }
- },
"com.github.openshift.api.monitoring.v1.AlertRelabelConfig": {
"description": "AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"type": "object",
@@ -43090,7 +42346,8 @@
"items": {
"default": {},
"$ref": "#/definitions/Toleration.v1.core.api.k8s.io"
- }
+ },
+ "x-kubernetes-list-type": "atomic"
}
}
},
@@ -43145,7 +42402,16 @@
"items": {
"default": {},
"$ref": "#/definitions/com.github.openshift.api.operator.v1.Server"
- }
+ },
+ "x-kubernetes-list-map-keys": [
+ "name"
+ ],
+ "x-kubernetes-list-type": "map"
+ },
+ "template": {
+ "description": "template is an optional configuration for custom DNS query handling via the CoreDNS template plugin. The template defines how to handle queries matching specific zones and query types.\n\nThe template applies to all domains (custom domains from spec.servers and the cluster domain) to ensure consistent DNS resolution across all paths.\n\nWhen this field is not set, no template plugin configuration is added to CoreDNS.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.DNSTemplate"
},
"upstreamResolvers": {
"description": "upstreamResolvers defines a schema for configuring CoreDNS to proxy DNS messages to upstream resolvers for the case of the default (\".\") server\n\nIf this field is not specified, the upstream used will default to /etc/resolv.conf, with policy \"sequential\"",
@@ -43179,11 +42445,62 @@
"default": {},
"$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition"
},
+ "x-kubernetes-list-map-keys": [
+ "type"
+ ],
+ "x-kubernetes-list-type": "map",
"x-kubernetes-patch-merge-key": "type",
"x-kubernetes-patch-strategy": "merge"
}
}
},
+ "com.github.openshift.api.operator.v1.DNSTemplate": {
+ "description": "DNSTemplate defines a template for custom DNS query handling via the CoreDNS template plugin. DNSTemplate enables filtering or custom responses for DNS queries matching specific zones and query types.",
+ "type": "object",
+ "required": [
+ "zones",
+ "queryType",
+ "queryClass",
+ "action"
+ ],
+ "properties": {
+ "action": {
+ "description": "action defines how to handle queries matching this template's zones and query type. The action builds a single DNS response by specifying the response code and may be extended by additional fields in the future.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.DNSTemplateAction"
+ },
+ "queryClass": {
+ "description": "queryClass specifies the DNS query class to match. Valid values are \"IN\".",
+ "type": "string"
+ },
+ "queryType": {
+ "description": "queryType specifies the DNS query type to match. Valid values are \"AAAA\".",
+ "type": "string"
+ },
+ "zones": {
+ "description": "zones specifies the DNS zones this template applies to. Each zone must be a valid DNS name as defined in RFC 1123. The special zone \".\" matches all domains (catch-all). Multiple zones can be specified to apply the same template actions to multiple domains. At least 1 and at most 15 zones may be specified.\n\nNote: root zone (\".\") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.\n\nExamples: - [\".\"] matches all domains (catch-all for global AAAA filtering) - [\"example.com\"] matches only example.com and its subdomains - [\"example.com\", \"test.com\"] matches both domains and their subdomains",
+ "type": "array",
+ "items": {
+ "type": "string",
+ "default": ""
+ },
+ "x-kubernetes-list-type": "set"
+ }
+ }
+ },
+ "com.github.openshift.api.operator.v1.DNSTemplateAction": {
+ "description": "DNSTemplateAction defines how to construct a DNS response for queries matching the template.",
+ "type": "object",
+ "required": [
+ "rcode"
+ ],
+ "properties": {
+ "rcode": {
+ "description": "rcode is the DNS response code to return. Valid values are \"NOERROR\".\n\nThe template returns a response with no answer records. For AAAA filtering, this means IPv6 address queries return successfully but with no IPv6 addresses, causing clients to fall back to IPv4 (A record) queries.",
+ "type": "string"
+ }
+ }
+ },
"com.github.openshift.api.operator.v1.DNSTransportConfig": {
"description": "DNSTransportConfig groups related configuration parameters used for configuring forwarding to upstream resolvers that support DNS-over-TLS.",
"type": "object",
@@ -43685,7 +43002,8 @@
"items": {
"type": "string",
"default": ""
- }
+ },
+ "x-kubernetes-list-type": "set"
}
}
},
@@ -47612,7 +46930,8 @@
"items": {
"type": "string",
"default": ""
- }
+ },
+ "x-kubernetes-list-type": "set"
}
}
},
@@ -48554,7 +47873,8 @@
"items": {
"default": {},
"$ref": "#/definitions/com.github.openshift.api.operator.v1.Upstream"
- }
+ },
+ "x-kubernetes-list-type": "atomic"
}
}
},
diff --git a/operator/v1/tests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml b/operator/v1/tests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml
new file mode 100644
index 00000000000..f9571f76cc3
--- /dev/null
+++ b/operator/v1/tests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml
@@ -0,0 +1,486 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "DNS"
+crdName: dnses.operator.openshift.io
+featureGates:
+- DNSTemplatePlugin
+tests:
+ onCreate:
+ - name: Should be able to create a DNS with template - catch-all zone
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ - name: Should be able to create a DNS with template - specific zone
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ template:
+ zones: ["example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ - name: Should be able to create a DNS with template - multiple zones
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com", "test.com", "corp.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ template:
+ zones: ["example.com", "test.com", "corp.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ - name: Should be able to create a DNS without template (optional field)
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ servers: []
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ servers: []
+ - name: Should reject DNS with template - missing zones
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "Required value"
+ - name: Should reject DNS with template - empty zones array
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: []
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "should have at least 1 items"
+ - name: Should reject DNS with template - invalid queryType
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: A
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: 'Unsupported value: "A": supported values: "AAAA"'
+ - name: Should reject DNS with template - invalid queryClass
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: CH
+ action:
+ rcode: NOERROR
+ expectedError: 'Unsupported value: "CH": supported values: "IN"'
+ - name: Should reject DNS with template - missing action
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ expectedError: "Required value"
+ - name: Should reject DNS with template - missing rcode
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action: {}
+ expectedError: "Required value"
+ - name: Should reject DNS with template - invalid rcode
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NXDOMAIN
+ expectedError: 'Unsupported value: "NXDOMAIN": supported values: "NOERROR"'
+ - name: Should reject DNS with template - too many zones (more than 15)
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["zone1.com", "zone2.com", "zone3.com", "zone4.com", "zone5.com", "zone6.com", "zone7.com", "zone8.com", "zone9.com", "zone10.com", "zone11.com", "zone12.com", "zone13.com", "zone14.com", "zone15.com", "zone16.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "must have at most 15 items"
+ - name: Should reject DNS with template - invalid zone with underscore
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["invalid_domain.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "in body should match '^(\\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'"
+ - name: Should reject DNS with template - invalid zone with trailing dot
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "in body should match '^(\\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'"
+ - name: Should reject DNS with template - invalid zone with uppercase
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["Example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "in body should match '^(\\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'"
+ - name: Should reject DNS with template - invalid zone starting with hyphen
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["-example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "in body should match '^(\\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'"
+ - name: Should reject DNS with template - invalid zone ending with hyphen
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example-.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "in body should match '^(\\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'"
+ - name: Should accept DNS with template - valid subdomain zones
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["sub.example.com", "deep.sub.example.com", "a-b.example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ template:
+ zones: ["sub.example.com", "deep.sub.example.com", "a-b.example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ - name: Should reject DNS with template - duplicate zones (listType=set)
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com", "example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "zones"
+ onUpdate:
+ - name: Should be able to add template to existing DNS
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec: {}
+ updated: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ - name: Should be able to update template zones
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ updated: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com", "test.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ template:
+ zones: ["example.com", "test.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ - name: Should be able to remove template from existing DNS
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ updated: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec: {}
+ expected: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ logLevel: Normal
+ operatorLogLevel: Normal
+ upstreamResolvers:
+ policy: Sequential
+ upstreams:
+ - port: 53
+ type: SystemResolvConf
+ - name: Should reject update with invalid queryType
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ updated: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: CNAME
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: 'Unsupported value: "CNAME"'
+ - name: Should reject update with empty zones
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["."]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ updated: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: []
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "should have at least 1 items"
+ - name: Should reject update with invalid zone format
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ updated: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["invalid_zone.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "in body should match '^(\\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'"
+ - name: Should reject update with too many zones
+ initial: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["example.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ updated: |
+ apiVersion: operator.openshift.io/v1
+ kind: DNS
+ spec:
+ template:
+ zones: ["zone1.com", "zone2.com", "zone3.com", "zone4.com", "zone5.com", "zone6.com", "zone7.com", "zone8.com", "zone9.com", "zone10.com", "zone11.com", "zone12.com", "zone13.com", "zone14.com", "zone15.com", "zone16.com"]
+ queryType: AAAA
+ queryClass: IN
+ action:
+ rcode: NOERROR
+ expectedError: "must have at most 15 items"
diff --git a/operator/v1/types_dns.go b/operator/v1/types_dns.go
index 25880478684..97fb26f0807 100644
--- a/operator/v1/types_dns.go
+++ b/operator/v1/types_dns.go
@@ -52,6 +52,8 @@ type DNSSpec struct {
// If this field is nil, no servers are created.
//
// +optional
+ // +listType=map
+ // +listMapKey=name
Servers []Server `json:"servers,omitempty"`
// upstreamResolvers defines a schema for configuring CoreDNS
@@ -116,6 +118,18 @@ type DNSSpec struct {
// 30 seconds or as noted in the respective Corefile for your version of OpenShift.
// +optional
Cache DNSCache `json:"cache,omitempty"`
+
+ // template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ // The template defines how to handle queries matching specific zones and query types.
+ //
+ // The template applies to all domains (custom domains from spec.servers and the cluster domain)
+ // to ensure consistent DNS resolution across all paths.
+ //
+ // When this field is not set, no template plugin configuration is added to CoreDNS.
+ //
+ // +optional
+ // +openshift:enable:FeatureGate=DNSTemplatePlugin
+ Template DNSTemplate `json:"template,omitzero"`
}
// DNSCache defines the fields for configuring DNS caching.
@@ -167,10 +181,13 @@ var (
type Server struct {
// name is required and specifies a unique name for the server. Name must comply
// with the Service Name Syntax of rfc6335.
+ // +required
Name string `json:"name"`
// zones is required and specifies the subdomains that Server is authoritative for.
// Zones must conform to the rfc1123 definition of a subdomain. Specifying the
// cluster domain (i.e., "cluster.local") is invalid.
+ // +required
+ // +listType=set
Zones []string `json:"zones"`
// forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
// to upstream resolvers.
@@ -270,6 +287,7 @@ type ForwardPlugin struct {
// A maximum of 15 upstreams is allowed per ForwardPlugin.
//
// +kubebuilder:validation:MaxItems=15
+ // +listType=set
Upstreams []string `json:"upstreams"`
// policy is used to determine the order in which upstream servers are selected for querying.
@@ -330,6 +348,7 @@ type UpstreamResolvers struct {
// +optional
// +kubebuilder:validation:MaxItems=15
// +kubebuilder:default={{"type":"SystemResolvConf"}}
+ // +listType=atomic
Upstreams []Upstream `json:"upstreams"`
// policy is used to determine the order in which upstream servers are selected for querying.
@@ -459,6 +478,7 @@ type DNSNodePlacement struct {
// https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
//
// +optional
+ // +listType=atomic
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}
@@ -467,6 +487,96 @@ const (
DNSAvailable = "Available"
)
+// QueryType represents DNS query types supported by templates.
+// +kubebuilder:validation:Enum=AAAA
+type QueryType string
+
+const (
+ // QueryTypeAAAA represents IPv6 address records (AAAA).
+ QueryTypeAAAA QueryType = "AAAA"
+)
+
+// QueryClass represents DNS query classes supported by templates.
+// Valid value is "IN".
+// +kubebuilder:validation:Enum=IN
+type QueryClass string
+
+const (
+ // QueryClassIN represents the Internet class.
+ QueryClassIN QueryClass = "IN"
+)
+
+// ResponseCode represents DNS response codes.
+// +kubebuilder:validation:Enum=NOERROR
+type ResponseCode string
+
+const (
+ // ResponseCodeNOERROR indicates a successful DNS query with or without answer records.
+ ResponseCodeNOERROR ResponseCode = "NOERROR"
+)
+
+// Zone is a DNS zone name. It must be either "." (catch-all) or a valid RFC1123 subdomain.
+// Valid RFC1123 subdomains consist of lowercase alphanumeric characters, hyphens, and dots.
+// Labels cannot start or end with hyphens and must be 1-63 characters each.
+// +kubebuilder:validation:MaxLength=253
+// +kubebuilder:validation:Pattern=`^(\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$`
+type Zone string
+
+// DNSTemplate defines a template for custom DNS query handling via the CoreDNS template plugin.
+// DNSTemplate enables filtering or custom responses for DNS queries matching specific zones and query types.
+type DNSTemplate struct {
+ // zones specifies the DNS zones this template applies to.
+ // Each zone must be a valid DNS name as defined in RFC 1123.
+ // The special zone "." matches all domains (catch-all).
+ // Multiple zones can be specified to apply the same template actions to multiple domains.
+ // At least 1 and at most 15 zones may be specified.
+ //
+ // Note: root zone (".") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.
+ //
+ // Examples:
+ // - ["."] matches all domains (catch-all for global AAAA filtering)
+ // - ["example.com"] matches only example.com and its subdomains
+ // - ["example.com", "test.com"] matches both domains and their subdomains
+ //
+ // +listType=set
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=15
+ // +required
+ Zones []Zone `json:"zones,omitempty"`
+
+ // queryType specifies the DNS query type to match.
+ // Valid values are "AAAA".
+ //
+ // +required
+ QueryType QueryType `json:"queryType,omitempty"`
+
+ // queryClass specifies the DNS query class to match.
+ // Valid values are "IN".
+ //
+ // +required
+ QueryClass QueryClass `json:"queryClass,omitempty"`
+
+ // action defines how to handle queries matching this template's zones and query type.
+ // The action builds a single DNS response by specifying the response code and may be
+ // extended by additional fields in the future.
+ //
+ // +required
+ Action DNSTemplateAction `json:"action,omitzero"`
+}
+
+// DNSTemplateAction defines how to construct a DNS response for queries matching the template.
+type DNSTemplateAction struct {
+ // rcode is the DNS response code to return.
+ // Valid values are "NOERROR".
+ //
+ // The template returns a response with no answer records. For AAAA filtering,
+ // this means IPv6 address queries return successfully but with no IPv6 addresses,
+ // causing clients to fall back to IPv4 (A record) queries.
+ //
+ // +required
+ Rcode ResponseCode `json:"rcode,omitempty"`
+}
+
// DNSStatus defines the observed status of the DNS.
type DNSStatus struct {
// clusterIP is the service IP through which this DNS is made available.
@@ -504,6 +614,8 @@ type DNSStatus struct {
//
// +patchMergeKey=type
// +patchStrategy=merge
+ // +listType=map
+ // +listMapKey=type
// +optional
Conditions []OperatorCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-CustomNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..d2cc526266e
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,705 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: CustomNoUpgrade
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - name
+ - zones
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ template:
+ description: |-
+ template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ The template defines how to handle queries matching specific zones and query types.
+
+ The template applies to all domains (custom domains from spec.servers and the cluster domain)
+ to ensure consistent DNS resolution across all paths.
+
+ When this field is not set, no template plugin configuration is added to CoreDNS.
+ properties:
+ action:
+ description: |-
+ action defines how to handle queries matching this template's zones and query type.
+ The action builds a single DNS response by specifying the response code and may be
+ extended by additional fields in the future.
+ properties:
+ rcode:
+ description: |-
+ rcode is the DNS response code to return.
+ Valid values are "NOERROR".
+
+ The template returns a response with no answer records. For AAAA filtering,
+ this means IPv6 address queries return successfully but with no IPv6 addresses,
+ causing clients to fall back to IPv4 (A record) queries.
+ enum:
+ - NOERROR
+ type: string
+ required:
+ - rcode
+ type: object
+ queryClass:
+ description: |-
+ queryClass specifies the DNS query class to match.
+ Valid values are "IN".
+ enum:
+ - IN
+ type: string
+ queryType:
+ description: |-
+ queryType specifies the DNS query type to match.
+ Valid values are "AAAA".
+ enum:
+ - AAAA
+ type: string
+ zones:
+ description: |-
+ zones specifies the DNS zones this template applies to.
+ Each zone must be a valid DNS name as defined in RFC 1123.
+ The special zone "." matches all domains (catch-all).
+ Multiple zones can be specified to apply the same template actions to multiple domains.
+ At least 1 and at most 15 zones may be specified.
+
+ Note: root zone (".") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.
+
+ Examples:
+ - ["."] matches all domains (catch-all for global AAAA filtering)
+ - ["example.com"] matches only example.com and its subdomains
+ - ["example.com", "test.com"] matches both domains and their subdomains
+ items:
+ description: |-
+ Zone is a DNS zone name. It must be either "." (catch-all) or a valid RFC1123 subdomain.
+ Valid RFC1123 subdomains consist of lowercase alphanumeric characters, hyphens, and dots.
+ Labels cannot start or end with hyphens and must be 1-63 characters each.
+ maxLength: 253
+ pattern: ^(\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
+ type: string
+ maxItems: 15
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - action
+ - queryClass
+ - queryType
+ - zones
+ type: object
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-Default.crd.yaml
new file mode 100644
index 00000000000..3a857d90b49
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-Default.crd.yaml
@@ -0,0 +1,629 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: Default
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - name
+ - zones
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-DevPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..670b8b80d7b
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-DevPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,705 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: DevPreviewNoUpgrade
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - name
+ - zones
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ template:
+ description: |-
+ template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ The template defines how to handle queries matching specific zones and query types.
+
+ The template applies to all domains (custom domains from spec.servers and the cluster domain)
+ to ensure consistent DNS resolution across all paths.
+
+ When this field is not set, no template plugin configuration is added to CoreDNS.
+ properties:
+ action:
+ description: |-
+ action defines how to handle queries matching this template's zones and query type.
+ The action builds a single DNS response by specifying the response code and may be
+ extended by additional fields in the future.
+ properties:
+ rcode:
+ description: |-
+ rcode is the DNS response code to return.
+ Valid values are "NOERROR".
+
+ The template returns a response with no answer records. For AAAA filtering,
+ this means IPv6 address queries return successfully but with no IPv6 addresses,
+ causing clients to fall back to IPv4 (A record) queries.
+ enum:
+ - NOERROR
+ type: string
+ required:
+ - rcode
+ type: object
+ queryClass:
+ description: |-
+ queryClass specifies the DNS query class to match.
+ Valid values are "IN".
+ enum:
+ - IN
+ type: string
+ queryType:
+ description: |-
+ queryType specifies the DNS query type to match.
+ Valid values are "AAAA".
+ enum:
+ - AAAA
+ type: string
+ zones:
+ description: |-
+ zones specifies the DNS zones this template applies to.
+ Each zone must be a valid DNS name as defined in RFC 1123.
+ The special zone "." matches all domains (catch-all).
+ Multiple zones can be specified to apply the same template actions to multiple domains.
+ At least 1 and at most 15 zones may be specified.
+
+ Note: root zone (".") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.
+
+ Examples:
+ - ["."] matches all domains (catch-all for global AAAA filtering)
+ - ["example.com"] matches only example.com and its subdomains
+ - ["example.com", "test.com"] matches both domains and their subdomains
+ items:
+ description: |-
+ Zone is a DNS zone name. It must be either "." (catch-all) or a valid RFC1123 subdomain.
+ Valid RFC1123 subdomains consist of lowercase alphanumeric characters, hyphens, and dots.
+ Labels cannot start or end with hyphens and must be 1-63 characters each.
+ maxLength: 253
+ pattern: ^(\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
+ type: string
+ maxItems: 15
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - action
+ - queryClass
+ - queryType
+ - zones
+ type: object
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-OKD.crd.yaml
similarity index 98%
rename from operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml
rename to operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-OKD.crd.yaml
index 457a47c4696..579499e35fa 100644
--- a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-OKD.crd.yaml
@@ -6,6 +6,7 @@ metadata:
api.openshift.io/merged-by-featuregates: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: OKD
name: dnses.operator.openshift.io
spec:
group: operator.openshift.io
@@ -191,6 +192,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
operatorLogLevel:
default: Normal
@@ -337,6 +339,7 @@ spec:
type: string
maxItems: 15
type: array
+ x-kubernetes-list-type: set
type: object
name:
description: |-
@@ -351,8 +354,15 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: set
+ required:
+ - name
+ - zones
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
upstreamResolvers:
default: {}
description: |-
@@ -536,6 +546,7 @@ spec:
type: object
maxItems: 15
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
status:
@@ -604,6 +615,9 @@ spec:
- type
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
required:
- clusterDomain
- clusterIP
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-TechPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..4ba68d4fb01
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-TechPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,629 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: TechPreviewNoUpgrade
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - name
+ - zones
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go
index 3d3c8f4f825..0b4b2e739da 100644
--- a/operator/v1/zz_generated.deepcopy.go
+++ b/operator/v1/zz_generated.deepcopy.go
@@ -1319,6 +1319,7 @@ func (in *DNSSpec) DeepCopyInto(out *DNSSpec) {
in.UpstreamResolvers.DeepCopyInto(&out.UpstreamResolvers)
in.NodePlacement.DeepCopyInto(&out.NodePlacement)
out.Cache = in.Cache
+ in.Template.DeepCopyInto(&out.Template)
return
}
@@ -1355,6 +1356,44 @@ func (in *DNSStatus) DeepCopy() *DNSStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNSTemplate) DeepCopyInto(out *DNSTemplate) {
+ *out = *in
+ if in.Zones != nil {
+ in, out := &in.Zones, &out.Zones
+ *out = make([]Zone, len(*in))
+ copy(*out, *in)
+ }
+ out.Action = in.Action
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSTemplate.
+func (in *DNSTemplate) DeepCopy() *DNSTemplate {
+ if in == nil {
+ return nil
+ }
+ out := new(DNSTemplate)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNSTemplateAction) DeepCopyInto(out *DNSTemplateAction) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSTemplateAction.
+func (in *DNSTemplateAction) DeepCopy() *DNSTemplateAction {
+ if in == nil {
+ return nil
+ }
+ out := new(DNSTemplateAction)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *DNSTransportConfig) DeepCopyInto(out *DNSTransportConfig) {
*out = *in
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/operator/v1/zz_generated.featuregated-crd-manifests.yaml
index 53cf23ade1f..9ac383f76a8 100644
--- a/operator/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/operator/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -132,7 +132,8 @@ dnses.operator.openshift.io:
CRDName: dnses.operator.openshift.io
Capability: ""
Category: ""
- FeatureGates: []
+ FeatureGates:
+ - DNSTemplatePlugin
FilenameOperatorName: dns
FilenameOperatorOrdering: "00"
FilenameRunLevel: "0000_70"
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/AAA_ungated.yaml
index f85c751efc1..08fd49560aa 100644
--- a/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/AAA_ungated.yaml
+++ b/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/AAA_ungated.yaml
@@ -192,6 +192,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
operatorLogLevel:
default: Normal
@@ -338,6 +339,7 @@ spec:
type: string
maxItems: 15
type: array
+ x-kubernetes-list-type: set
type: object
name:
description: |-
@@ -352,8 +354,15 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: set
+ required:
+ - name
+ - zones
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
upstreamResolvers:
description: |-
upstreamResolvers defines a schema for configuring CoreDNS
@@ -515,6 +524,7 @@ spec:
type: object
maxItems: 15
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
status:
@@ -583,6 +593,9 @@ spec:
- type
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
required:
- clusterDomain
- clusterIP
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml
new file mode 100644
index 00000000000..9bf4400af5c
--- /dev/null
+++ b/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml
@@ -0,0 +1,683 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/filename-cvo-runlevel: "0000_70"
+ api.openshift.io/filename-operator: dns
+ api.openshift.io/filename-ordering: "00"
+ feature-gate.release.openshift.io/DNSTemplatePlugin: "true"
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - name
+ - zones
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ template:
+ description: |-
+ template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ The template defines how to handle queries matching specific zones and query types.
+
+ The template applies to all domains (custom domains from spec.servers and the cluster domain)
+ to ensure consistent DNS resolution across all paths.
+
+ When this field is not set, no template plugin configuration is added to CoreDNS.
+ properties:
+ action:
+ description: |-
+ action defines how to handle queries matching this template's zones and query type.
+ The action builds a single DNS response by specifying the response code and may be
+ extended by additional fields in the future.
+ properties:
+ rcode:
+ description: |-
+ rcode is the DNS response code to return.
+ Valid values are "NOERROR".
+
+ The template returns a response with no answer records. For AAAA filtering,
+ this means IPv6 address queries return successfully but with no IPv6 addresses,
+ causing clients to fall back to IPv4 (A record) queries.
+ enum:
+ - NOERROR
+ type: string
+ required:
+ - rcode
+ type: object
+ queryClass:
+ description: |-
+ queryClass specifies the DNS query class to match.
+ Valid values are "IN".
+ enum:
+ - IN
+ type: string
+ queryType:
+ description: |-
+ queryType specifies the DNS query type to match.
+ Valid values are "AAAA".
+ enum:
+ - AAAA
+ type: string
+ zones:
+ description: |-
+ zones specifies the DNS zones this template applies to.
+ Each zone must be a valid DNS name as defined in RFC 1123.
+ The special zone "." matches all domains (catch-all).
+ Multiple zones can be specified to apply the same template actions to multiple domains.
+ At least 1 and at most 15 zones may be specified.
+
+ Note: root zone (".") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.
+
+ Examples:
+ - ["."] matches all domains (catch-all for global AAAA filtering)
+ - ["example.com"] matches only example.com and its subdomains
+ - ["example.com", "test.com"] matches both domains and their subdomains
+ items:
+ description: |-
+ Zone is a DNS zone name. It must be either "." (catch-all) or a valid RFC1123 subdomain.
+ Valid RFC1123 subdomains consist of lowercase alphanumeric characters, hyphens, and dots.
+ Labels cannot start or end with hyphens and must be 1-63 characters each.
+ maxLength: 253
+ pattern: ^(\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
+ type: string
+ maxItems: 15
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - action
+ - queryClass
+ - queryType
+ - zones
+ type: object
+ upstreamResolvers:
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go
index e35d997a763..26d9377877c 100644
--- a/operator/v1/zz_generated.swagger_doc_generated.go
+++ b/operator/v1/zz_generated.swagger_doc_generated.go
@@ -704,6 +704,7 @@ var map_DNSSpec = map[string]string{
"operatorLogLevel": "operatorLogLevel controls the logging level of the DNS Operator. Valid values are: \"Normal\", \"Debug\", \"Trace\". Defaults to \"Normal\". setting operatorLogLevel: Trace will produce extremely verbose logs.",
"logLevel": "logLevel describes the desired logging verbosity for CoreDNS. Any one of the following values may be specified: * Normal logs errors from upstream resolvers. * Debug logs errors, NXDOMAIN responses, and NODATA responses. * Trace logs errors and all responses.\n Setting logLevel: Trace will produce extremely verbose logs.\nValid values are: \"Normal\", \"Debug\", \"Trace\". Defaults to \"Normal\".",
"cache": "cache describes the caching configuration that applies to all server blocks listed in the Corefile. This field allows a cluster admin to optionally configure: * positiveTTL which is a duration for which positive responses should be cached. * negativeTTL which is a duration for which negative responses should be cached. If this is not configured, OpenShift will configure positive and negative caching with a default value that is subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is 30 seconds or as noted in the respective Corefile for your version of OpenShift.",
+ "template": "template is an optional configuration for custom DNS query handling via the CoreDNS template plugin. The template defines how to handle queries matching specific zones and query types.\n\nThe template applies to all domains (custom domains from spec.servers and the cluster domain) to ensure consistent DNS resolution across all paths.\n\nWhen this field is not set, no template plugin configuration is added to CoreDNS.",
}
func (DNSSpec) SwaggerDoc() map[string]string {
@@ -721,6 +722,27 @@ func (DNSStatus) SwaggerDoc() map[string]string {
return map_DNSStatus
}
+var map_DNSTemplate = map[string]string{
+ "": "DNSTemplate defines a template for custom DNS query handling via the CoreDNS template plugin. DNSTemplate enables filtering or custom responses for DNS queries matching specific zones and query types.",
+ "zones": "zones specifies the DNS zones this template applies to. Each zone must be a valid DNS name as defined in RFC 1123. The special zone \".\" matches all domains (catch-all). Multiple zones can be specified to apply the same template actions to multiple domains. At least 1 and at most 15 zones may be specified.\n\nNote: root zone (\".\") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.\n\nExamples: - [\".\"] matches all domains (catch-all for global AAAA filtering) - [\"example.com\"] matches only example.com and its subdomains - [\"example.com\", \"test.com\"] matches both domains and their subdomains",
+ "queryType": "queryType specifies the DNS query type to match. Valid values are \"AAAA\".",
+ "queryClass": "queryClass specifies the DNS query class to match. Valid values are \"IN\".",
+ "action": "action defines how to handle queries matching this template's zones and query type. The action builds a single DNS response by specifying the response code and may be extended by additional fields in the future.",
+}
+
+func (DNSTemplate) SwaggerDoc() map[string]string {
+ return map_DNSTemplate
+}
+
+var map_DNSTemplateAction = map[string]string{
+ "": "DNSTemplateAction defines how to construct a DNS response for queries matching the template.",
+ "rcode": "rcode is the DNS response code to return. Valid values are \"NOERROR\".\n\nThe template returns a response with no answer records. For AAAA filtering, this means IPv6 address queries return successfully but with no IPv6 addresses, causing clients to fall back to IPv4 (A record) queries.",
+}
+
+func (DNSTemplateAction) SwaggerDoc() map[string]string {
+ return map_DNSTemplateAction
+}
+
var map_DNSTransportConfig = map[string]string{
"": "DNSTransportConfig groups related configuration parameters used for configuring forwarding to upstream resolvers that support DNS-over-TLS.",
"transport": "transport allows cluster administrators to opt-in to using a DNS-over-TLS connection between cluster DNS and an upstream resolver(s). Configuring TLS as the transport at this level without configuring a CABundle will result in the system certificates being used to verify the serving certificate of the upstream resolver(s).\n\nPossible values: \"\" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject to change over time. The current default is \"Cleartext\". \"Cleartext\" - Cluster admin specified cleartext option. This results in the same functionality as an empty value but may be useful when a cluster admin wants to be more explicit about the transport, or wants to switch from \"TLS\" to \"Cleartext\" explicitly. \"TLS\" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS, you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.",
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
index 8eabfb74bde..9e8a97f530d 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
@@ -122,6 +122,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
index a18e3ffb8d4..3bedc117d21 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
@@ -174,6 +174,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
index 799724633a5..5483d7f3b9c 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
@@ -124,6 +124,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
index fec1cef6138..32d697c7ab2 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
@@ -31,6 +31,9 @@
{
"name": "ClusterUpdatePreflight"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "EventedPLEG"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
index 0a5d2f69de5..3cc239adb72 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
@@ -119,6 +119,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
index fb6e46db2d7..72de29c5ad9 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -153,6 +153,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
index 8b60bf06878..283da65bfff 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
@@ -121,6 +121,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
index 3c48a8f327e..b6b1ae62d70 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -31,6 +31,9 @@
{
"name": "ClusterUpdatePreflight"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "EventedPLEG"
},