updates from api audit

Signed-off-by: Jordan Keister <jordan@nimblewidget.com>

api/v1alpha1/clusterextension_types.go

@@ -25,8 +25,8 @@ import (
 var ClusterExtensionKind = "ClusterExtension"
 
 type (
-	UpgradeConstraintPolicy string
-	CRDUpgradeSafetyPolicy  string
+	UpgradeConstraintPolicy     string
+	CRDUpgradeSafetyEnforcement string
 )
 
 const (
@@ -58,6 +58,7 @@ type ClusterExtensionSpec struct {
 	//   catalog:
 	//     packageName: example-package
 	//
+	// +kubebuilder:validation:Required
 	Source SourceConfig `json:"source"`
 
 	// install is a required field used to configure the installation options
@@ -69,6 +70,7 @@ type ClusterExtensionSpec struct {
 	//    namespace: example-namespace
 	//    serviceAccount:
 	//      name: example-sa
+	// +kubebuilder:validation:Required
 	Install ClusterExtensionInstallConfig `json:"install"`
 }
 
@@ -80,14 +82,16 @@ const SourceTypeCatalog = "Catalog"
 type SourceConfig struct {
 	// sourceType is a required reference to the type of install source.
 	//
-	// Allowed values are ["Catalog"]
+	// Allowed values are "Catalog"
 	//
-	// When this field is set to "Catalog", information for determining the appropriate
-	// bundle of content to install will be fetched from ClusterCatalog resources existing
-	// on the cluster. When using the Catalog sourceType, the catalog field must also be set.
+	// When this field is set to "Catalog", information for determining the
+	// appropriate bundle of content to install will be fetched from
+	// ClusterCatalog resources existing on the cluster.
+	// When using the Catalog sourceType, the catalog field must also be set.
 	//
 	// +unionDiscriminator
 	// +kubebuilder:validation:Enum:="Catalog"
+	// +kubebuilder:validation:Required
 	SourceType string `json:"sourceType"`
 
 	// catalog is used to configure how information is sourced from a catalog. This field must be defined when sourceType is set to "Catalog",
@@ -130,6 +134,7 @@ type ClusterExtensionInstallConfig struct {
 	//+kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 	//+kubebuilder:validation:MaxLength:=63
 	//+kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable"
+	//+kubebuilder:validation:Required
 	Namespace string `json:"namespace"`
 
 	// serviceAccount is a required reference to a ServiceAccount that exists
@@ -140,6 +145,7 @@ type ClusterExtensionInstallConfig struct {
 	// the ServiceAccount provided via this field should be configured with the
 	// appropriate permissions to perform the necessary operations on all the
 	// resources that are included in the bundle of content being applied.
+	//+kubebuilder:validation:Required
 	ServiceAccount ServiceAccountReference `json:"serviceAccount"`
 
 	// preflight is an optional field that can be used to configure the preflight checks run before installation or upgrade of the content for the package specified in the packageName field.
@@ -181,6 +187,7 @@ type CatalogSource struct {
 	//+kubebuilder:validation:MaxLength:=253
 	//+kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
 	//+kubebuilder:validation:XValidation:rule="self == oldSelf",message="packageName is immutable"
+	//+kubebuilder:validation:Required
 	PackageName string `json:"packageName"`
 
 	// version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed.
@@ -258,14 +265,14 @@ type CatalogSource struct {
 	// For more information on semver, please see https://semver.org/
 	//
 	//+kubebuilder:validation:MaxLength:=64
-	//+kubebuilder:validation:Pattern=`^(\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\^)\s*(v?(0|[1-9]\d*|[x|X|\*])(\.(0|[1-9]\d*|x|X|\*]))?(\.(0|[1-9]\d*|x|X|\*))?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?)\s*)((?:\s+|,\s*|\s*\|\|\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\^)\s*(v?(0|[1-9]\d*|x|X|\*])(\.(0|[1-9]\d*|x|X|\*))?(\.(0|[1-9]\d*|x|X|\*]))?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?)\s*)*$`
+	//+kubebuilder:validation:XValidation:rule="self.matches(\"^(\\\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\\\^)\\\\s*(v?(0|[1-9]\\\\d*|[x|X|\\\\*])(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*]))?(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*))?(-([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?(\\\\+([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?)\\\\s*)((?:\\\\s+|,\\\\s*|\\\\s*\\\\|\\\\|\\\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\\\^)\\\\s*(v?(0|[1-9]\\\\d*|x|X|\\\\*])(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*))?(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*]))?(-([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?(\\\\+([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?)\\\\s*)*$\")",message="invalid version expression in the catalog source"
 	//+optional
 	Version string `json:"version,omitempty"`
 
 	// channels is an optional reference to a set of channels belonging to
 	// the package specified in the packageName field.
 	//
-	// A "channel" is a package author defined stream of updates for an extension.
+	// A "channel" is a package-author-defined stream of updates for an extension.
 	//
 	// When specified, it is used to constrain the set of installable bundles and
 	// the automated upgrade path. This constraint is an AND operation with the
@@ -322,7 +329,7 @@ type CatalogSource struct {
 	// the upgrade path(s) defined in the catalog are enforced for the package
 	// referenced in the packageName field.
 	//
-	// Allowed values are: ["CatalogProvided", "SelfCertified"].
+	// Allowed values are: "CatalogProvided" or "SelfCertified".
 	//
 	// When this field is set to "CatalogProvided", automatic upgrades will only occur
 	// when upgrade constraints specified by the package author are met.
@@ -373,6 +380,7 @@ type ServiceAccountReference struct {
 	//+kubebuilder:validation:MaxLength:=253
 	//+kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
 	//+kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"
+	//+kubebuilder:validation:Required
 	Name string `json:"name"`
 }
 
@@ -386,28 +394,30 @@ type PreflightConfig struct {
 	// consequences of upgrading a CRD, such as data loss.
 	//
 	// This field is required if the spec.install.preflight field is specified.
+	//+kubebuilder:validation:Required
 	CRDUpgradeSafety *CRDUpgradeSafetyPreflightConfig `json:"crdUpgradeSafety"`
 }
 
 // CRDUpgradeSafetyPreflightConfig is the configuration for CRD upgrade safety preflight check.
 type CRDUpgradeSafetyPreflightConfig struct {
-	// policy is used to configure the state of the CRD Upgrade Safety pre-flight check.
+	// enforcement is used to configure the state of the CRD Upgrade Safety pre-flight check.
 	//
 	// This field is required when the spec.install.preflight.crdUpgradeSafety field is
 	// specified.
 	//
-	// Allowed values are ["Enabled", "Disabled"]. The default value is "Enabled".
+	// Allowed values are "None" or "Strict". The default value is "Strict".
 	//
-	// When set to "Disabled", the CRD Upgrade Safety pre-flight check will be skipped
+	// When set to "None", the CRD Upgrade Safety pre-flight check will be skipped
 	// when performing an upgrade operation. This should be used with caution as
 	// unintended consequences such as data loss can occur.
 	//
-	// When set to "Enabled", the CRD Upgrade Safety pre-flight check will be run when
+	// When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when
 	// performing an upgrade operation.
 	//
-	//+kubebuilder:validation:Enum:="Enabled";"Disabled"
-	//+kubebuilder:default:=Enabled
-	Policy CRDUpgradeSafetyPolicy `json:"policy"`
+	//+kubebuilder:validation:Enum:="None";"Strict"
+	//+kubebuilder:default:=Strict
+	//+kubebuilder:validation:Required
+	Enforcement CRDUpgradeSafetyEnforcement `json:"enforcement"`
 }
 
 const (
@@ -428,8 +438,10 @@ const (
 	ReasonBlocked    = "Blocked"
 	ReasonRetrying   = "Retrying"
 
-	CRDUpgradeSafetyPolicyEnabled  CRDUpgradeSafetyPolicy = "Enabled"
-	CRDUpgradeSafetyPolicyDisabled CRDUpgradeSafetyPolicy = "Disabled"
+	// None will not perform CRD upgrade safety checks.
+	CRDUpgradeSafetyEnforcementNone CRDUpgradeSafetyEnforcement = "None"
+	// Strict will enforce the CRD upgrade safety check and block the upgrade if the CRD would not pass the check.
+	CRDUpgradeSafetyEnforcementStrict CRDUpgradeSafetyEnforcement = "Strict"
 )
 
 func init() {
@@ -455,9 +467,11 @@ func init() {
 type BundleMetadata struct {
 	// name is a required field and is a reference
 	// to the name of a bundle
+	//+kubebuilder:validation:Required
 	Name string `json:"name"`
 	// version is a required field and is a reference
 	// to the version that this bundle represents
+	//+kubebuilder:validation:Required
 	Version string `json:"version"`
 }
 
@@ -496,6 +510,7 @@ type ClusterExtensionStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
+	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
 }
 
@@ -504,6 +519,7 @@ type ClusterExtensionInstallStatus struct {
 	//
 	// A "bundle" is a versioned set of content that represents the resources that
 	// need to be applied to a cluster to install a package.
+	//+kubebuilder:validation:Required
 	Bundle BundleMetadata `json:"bundle"`
 }
 
@@ -516,7 +532,9 @@ type ClusterExtension struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   ClusterExtensionSpec   `json:"spec,omitempty"`
+	//+optional
+	Spec ClusterExtensionSpec `json:"spec,omitempty"`
+	//+optional
 	Status ClusterExtensionStatus `json:"status,omitempty"`
 }
 
@@ -525,8 +543,10 @@ type ClusterExtension struct {
 // ClusterExtensionList contains a list of ClusterExtension
 type ClusterExtensionList struct {
 	metav1.TypeMeta `json:",inline"`
+	//+optional
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ClusterExtension `json:"items"`
+	//+kubebuilder:validation:Required
+	Items []ClusterExtension `json:"items"`
 }
 
 func init() {

config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml

@@ -102,28 +102,28 @@ spec:
 
                           This field is required if the spec.install.preflight field is specified.
                         properties:
-                          policy:
-                            default: Enabled
+                          enforcement:
+                            default: Strict
                             description: |-
-                              policy is used to configure the state of the CRD Upgrade Safety pre-flight check.
+                              enforcement is used to configure the state of the CRD Upgrade Safety pre-flight check.
 
                               This field is required when the spec.install.preflight.crdUpgradeSafety field is
                               specified.
 
-                              Allowed values are ["Enabled", "Disabled"]. The default value is "Enabled".
+                              Allowed values are "None" or "Strict". The default value is "Strict".
 
-                              When set to "Disabled", the CRD Upgrade Safety pre-flight check will be skipped
+                              When set to "None", the CRD Upgrade Safety pre-flight check will be skipped
                               when performing an upgrade operation. This should be used with caution as
                               unintended consequences such as data loss can occur.
 
-                              When set to "Enabled", the CRD Upgrade Safety pre-flight check will be run when
+                              When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when
                               performing an upgrade operation.
                             enum:
-                            - Enabled
-                            - Disabled
+                            - None
+                            - Strict
                             type: string
                         required:
-                        - policy
+                        - enforcement
                         type: object
                     required:
                     - crdUpgradeSafety
@@ -208,7 +208,7 @@ spec:
                           channels is an optional reference to a set of channels belonging to
                           the package specified in the packageName field.
 
-                          A "channel" is a package author defined stream of updates for an extension.
+                          A "channel" is a package-author-defined stream of updates for an extension.
 
                           When specified, it is used to constrain the set of installable bundles and
                           the automated upgrade path. This constraint is an AND operation with the
@@ -340,7 +340,7 @@ spec:
                           the upgrade path(s) defined in the catalog are enforced for the package
                           referenced in the packageName field.
 
-                          Allowed values are: ["CatalogProvided", "SelfCertified"].
+                          Allowed values are: "CatalogProvided" or "SelfCertified".
 
                           When this field is set to "CatalogProvided", automatic upgrades will only occur
                           when upgrade constraints specified by the package author are met.
@@ -433,20 +433,23 @@ spec:
 
                           For more information on semver, please see https://semver.org/
                         maxLength: 64
-                        pattern: ^(\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\^)\s*(v?(0|[1-9]\d*|[x|X|\*])(\.(0|[1-9]\d*|x|X|\*]))?(\.(0|[1-9]\d*|x|X|\*))?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?)\s*)((?:\s+|,\s*|\s*\|\|\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\^)\s*(v?(0|[1-9]\d*|x|X|\*])(\.(0|[1-9]\d*|x|X|\*))?(\.(0|[1-9]\d*|x|X|\*]))?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?)\s*)*$
                         type: string
+                        x-kubernetes-validations:
+                        - message: invalid version expression in the catalog source
+                          rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$")
                     required:
                     - packageName
                     type: object
                   sourceType:
                     description: |-
                       sourceType is a required reference to the type of install source.
 
-                      Allowed values are ["Catalog"]
+                      Allowed values are "Catalog"
 
-                      When this field is set to "Catalog", information for determining the appropriate
-                      bundle of content to install will be fetched from ClusterCatalog resources existing
-                      on the cluster. When using the Catalog sourceType, the catalog field must also be set.
+                      When this field is set to "Catalog", information for determining the
+                      appropriate bundle of content to install will be fetched from
+                      ClusterCatalog resources existing on the cluster.
+                      When using the Catalog sourceType, the catalog field must also be set.
                     enum:
                     - Catalog
                     type: string