From 30a56bb56f625d4b38b79b1754e8c5459916ef58 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Thu, 16 Jul 2020 10:01:32 -0700 Subject: [PATCH] config/v1/types_cluster_version: Drop availableUpdates from Force docs The outgoing text is unchanged since the property landed ab4ff93d20 (Update ClusterVersion to have a 'force' update flag and track verified, 2019-04-22, #293). Those docs fit on the 'oc' client side until openshift/oc@0501d04ff1 (upgrade: Separate flags for safety instead of abusing force, 2019-09-27, openshift/oc#109), but never applied to the cluster-version operator (CVO) side or the ClusterVersion type. The CVO uses Force to bypass verification failures [1] (invalid pullspec [2], lack of trusted signature [3], etc.) or preconditions [4] (ClusterVersion had Upgradeable=False for a requested minor bump [5]). availableUpdates is orthogonal. I don't know what "other forms of consistency checking" was about, so I've dropped that too. If folks want to call out explicit categories that cannot be overridden with Force, we should do that with less ambiguous wording. Autogenerated bumps via: $ hack/update-swagger-docs.sh $ make update-codegen-crds [1]: https://github.com/openshift/cluster-version-operator/blob/28e4400eeb9ded7e09ff684e75780599cb25ec2c/pkg/cvo/updatepayload.go#L91-L102 [2]: https://github.com/openshift/cluster-version-operator/blob/28e4400eeb9ded7e09ff684e75780599cb25ec2c/pkg/verify/verify.go#L138 [3]: https://github.com/openshift/cluster-version-operator/blob/28e4400eeb9ded7e09ff684e75780599cb25ec2c/pkg/verify/verify.go#L182 [4]: https://github.com/openshift/cluster-version-operator/blob/28e4400eeb9ded7e09ff684e75780599cb25ec2c/pkg/cvo/sync_worker.go#L527-L529 [5]: https://github.com/openshift/cluster-version-operator/blob/28e4400eeb9ded7e09ff684e75780599cb25ec2c/pkg/payload/precondition/clusterversion/upgradeable.go#L74-L79 --- ...ersion-operator_01_clusterversion.crd.yaml | 54 +++++++++---------- config/v1/types_cluster_version.go | 19 ++++--- .../v1/zz_generated.swagger_doc_generated.go | 2 +- 3 files changed, 34 insertions(+), 41 deletions(-) diff --git a/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml b/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml index ccde0db23bb..45f60259489 100644 --- a/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml +++ b/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml @@ -85,16 +85,14 @@ spec: type: object properties: force: - description: "force allows an administrator to update to an image - that has failed verification, does not appear in the availableUpdates - list, or otherwise would be blocked by normal protections on update. - This option should only be used when the authenticity of the provided - image has been verified out of band because the provided image - will run with full administrative access to the cluster. Do not - use this flag with images that comes from unknown or potentially - malicious sources. \n This flag does not override other forms - of consistency checking that are required before a new update - is deployed." + description: force allows an administrator to update to an image + that has failed verification, failed precondition checks, or would + otherwise be blocked by normal protections on update. This option + should only be used when the authenticity of the provided image + has been verified out of band because the provided image will + run with full administrative access to the cluster. Do not use + this flag with images that comes from unknown or potentially malicious + sources. type: boolean image: description: image is a container image location that contains the @@ -167,16 +165,14 @@ spec: type: object properties: force: - description: "force allows an administrator to update to an image - that has failed verification, does not appear in the availableUpdates - list, or otherwise would be blocked by normal protections on - update. This option should only be used when the authenticity - of the provided image has been verified out of band because - the provided image will run with full administrative access - to the cluster. Do not use this flag with images that comes - from unknown or potentially malicious sources. \n This flag - does not override other forms of consistency checking that are - required before a new update is deployed." + description: force allows an administrator to update to an image + that has failed verification, failed precondition checks, or + would otherwise be blocked by normal protections on update. + This option should only be used when the authenticity of the + provided image has been verified out of band because the provided + image will run with full administrative access to the cluster. + Do not use this flag with images that comes from unknown or + potentially malicious sources. type: boolean image: description: image is a container image location that contains @@ -235,16 +231,14 @@ spec: type: object properties: force: - description: "force allows an administrator to update to an image - that has failed verification, does not appear in the availableUpdates - list, or otherwise would be blocked by normal protections on update. - This option should only be used when the authenticity of the provided - image has been verified out of band because the provided image - will run with full administrative access to the cluster. Do not - use this flag with images that comes from unknown or potentially - malicious sources. \n This flag does not override other forms - of consistency checking that are required before a new update - is deployed." + description: force allows an administrator to update to an image + that has failed verification, failed precondition checks, or would + otherwise be blocked by normal protections on update. This option + should only be used when the authenticity of the provided image + has been verified out of band because the provided image will + run with full administrative access to the cluster. Do not use + this flag with images that comes from unknown or potentially malicious + sources. type: boolean image: description: image is a container image location that contains the diff --git a/config/v1/types_cluster_version.go b/config/v1/types_cluster_version.go index 771e962add0..20487af4027 100644 --- a/config/v1/types_cluster_version.go +++ b/config/v1/types_cluster_version.go @@ -236,16 +236,15 @@ type Update struct { // // +optional Image string `json:"image"` - // force allows an administrator to update to an image that has failed - // verification, does not appear in the availableUpdates list, or otherwise - // would be blocked by normal protections on update. This option should only - // be used when the authenticity of the provided image has been verified out - // of band because the provided image will run with full administrative access - // to the cluster. Do not use this flag with images that comes from unknown - // or potentially malicious sources. - // - // This flag does not override other forms of consistency checking that are - // required before a new update is deployed. + + // force allows an administrator to update to an image that has + // failed verification, failed precondition checks, or would + // otherwise be blocked by normal protections on update. This option + // should only be used when the authenticity of the provided image + // has been verified out of band because the provided image will run + // with full administrative access to the cluster. Do not use this + // flag with images that comes from unknown or potentially malicious + // sources. // // +optional Force bool `json:"force"` diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index dc72d5f9bae..11593dbc37b 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -524,7 +524,7 @@ var map_Update = map[string]string{ "": "Update represents a release of the ClusterVersionOperator, referenced by the Image member.", "version": "version is a semantic versioning identifying the update version. When this field is part of spec, version is optional if image is specified.", "image": "image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version.", - "force": "force allows an administrator to update to an image that has failed verification, does not appear in the availableUpdates list, or otherwise would be blocked by normal protections on update. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources.\n\nThis flag does not override other forms of consistency checking that are required before a new update is deployed.", + "force": "force allows an administrator to update to an image that has failed verification, failed precondition checks, or would otherwise be blocked by normal protections on update. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources.", } func (Update) SwaggerDoc() map[string]string {